OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • English Forums »
  • General Discussion »
  • Port forward on VPN & Wan
« previous next »
  • Print
Pages: [1]

Author Topic: Port forward on VPN & Wan  (Read 4313 times)

mow4cash

  • Newbie
  • *
  • Posts: 37
  • Karma: 2
    • View Profile
Port forward on VPN & Wan
« on: February 17, 2017, 04:56:03 pm »
I use OpenVpn to connect to PIA vpn provider. If I pull routes from PIA it then pushes all traffic through the VPN and disregards the firewall rules I use for selective routing on either the PIA gateway or Wan gateway. If I don't pull routes from PIA everything works correctly but then my ports won't forward on the Wan Interface but work on the PIA Interface. When I pull routes the opposite happens. How can I get this to work so I can port forward on both interfaces at the same time? I'm thinking I need to add in custom policy routing?
Logged

mow4cash

  • Newbie
  • *
  • Posts: 37
  • Karma: 2
    • View Profile
Re: Port forward on VPN & Wan
« Reply #1 on: February 20, 2017, 04:30:00 pm »
I found a PFsense thread of someone with the exact same issue. Hopefully this helps better expalin my issue. I have posted the main points in this post but here is the link for the full thread.
https://forum.pfsense.org/index.php?topic=65094.msg552331#msg552331

PFsense post:
I have an issue with the port forwarding from VPN.  Everything works correctly (have the port forwarded from the OpenVPN interface to my local station)  If I use the routes added automatically with the OpenVPN connection, the port forwarding is great, but it adds a few routes including 0.0.0.0/1 that go out the vpn interface which takes over my default gateway.  When I add route-nopull and just copy all the routes that it adds except for 0.0.0.0/1, the VPN works fine except the port doesn't forward anymore.  If I had that route, it starts working again. 

Pfsense Reply:
From what I can understand, the reason is that the reply-to address for some reason isn't used for the return packets for the associated firewall rule for the port forwarding NAT rule. I've managed to get it to work by:

On the NAT port forwarding rule, select "none" under "Filter rule association". Create the rule manually instead, under floating rules. The rule is basicly a "copy" of the one automaticly created by NAT:

Pass, Quick, in, IPv4, <protocol>, source: any, Destination: port forwarding destination host, Destination port range: forwarded port

Make sure it's high up/on top in the floating rules, and make sure it's a quick rule. When I look in rules.debug, the effect of this is simply that the rule (it's the firewall rule that contains the reply-to address) ends up much higher in the resulting ruleset, and that seems to make all the difference. I haven't quite figured out why yet.

Me:
I have tried this fix with no luck. I am so lost trying to get this to work. Any help would be greatly appreciated.




Logged
  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • English Forums »
  • General Discussion »
  • Port forward on VPN & Wan
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2