[kwlug-disc] pfSense port forwarding over OpenVPN

bob+kwlug at softscape.ca bob+kwlug at softscape.ca
Mon Jan 27 14:18:31 EST 2020 

Paul,

The first thing that came to mind is that it is something to do with the source IP of the incoming connections and how they are not in scope of the L2L VPN tunnel.

As a simple confirmation of this, can you try NATing the source IP (ie: the IP that came from the Internet) to something that is in range on the local network or within the scope of traffic defined for the tunnel? If that works, then you can either leave the source NAT in, or you have to redefine the scope of the tunnel to include this type of traffic.

My $0.02

BB

> -----Original Message-----
> From: kwlug-disc <kwlug-disc-bounces at kwlug.org> On Behalf Of Paul Nijjar via
> kwlug-disc
> Sent: January 24, 2020 2:44 PM
> To: kwlug-disc at kwlug.org
> Cc: Paul Nijjar <paul_nijjar at yahoo.ca>
> Subject: [kwlug-disc] pfSense port forwarding over OpenVPN
> 
> This is a weird one, but a bunch of you are networking geniuses so I
> am hoping you can help me out.
> 
> I have two sites: SiteA, and SiteB. SiteB has a web server, ServerX.
> SiteA and SiteB are connected via a site-to-site OpenVPN. SiteA and
> SiteB are both running pfSense as their firewall.
> 
> I want to do the following: have somebody from the outside world
> connect to SiteA, use a NAT port forward to forward that traffic over
> the OpenVPN link to SiteB, and have that traffic establish a
> connection with ServerX. (Yes, this is ridiculous and upsetting, but
> so is my existence. Bear with me.)
> 
> Here's what works:
> 
> - Traffic goes from the outside world  to SiteA
> - The pfSense rules supposedly allow this traffic to pass over the
>   OpenVPN connection (according to pfSense firewall logs)
> - If another computer is on SiteA then it can connect over the OpenVPN
>   connection to ServerX successfully
> 
> Here's what is broken:
> 
> - Despite the pfSense firewall logs saying that traffic is allowed
>   over the OpenVPN connection, a packet inspection on that connection
>   reveals no traffic is going through! Something is dropping the
>   intended packets, and I do not know the culprit.
> - As a result, I can see no traffic on the SiteB pfSense box.
> 
> My guess is that pfSense sees that the port-forwarded  traffic is
> coming from a foreign IP address (not one of the local subnets) and
> rejects the traffic from being relayed over OpenVPN. But I do not know
> where/how in pfSense to confirm this, and I do not know how to fix it.
> 
> Help?
> 
> - Paul
> 
> --
> Get tech event listings: https://off-topic.kwlug.org/watcamp
> Blog: http://pnijjar.freeshell.org
> 
> _______________________________________________
> kwlug-disc mailing list
> kwlug-disc at kwlug.org
> https://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org

More information about the kwlug-disc mailing list