Port Forwarding Across VPN

Started by leacho73, February 07, 2021, 09:46:26 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 07, 2021, 09:46:26 AM
Hi All,

Bit of a strange one - but I'm having issues with a port forward which points to a server on the opposite side of an IPSec VPN.

I'm trying to forward port TCP/25 to a server on the other side of the VPN - but I am unable to make a TCP connection - I have confirmed that the rules are allowing the traffic flow, and I have a gateway rule on the opposite side of the VPN directing traffic from that particular server back to the gateway of the initiating side of the VPN - although the responding traffic never appears to get back - at least I am unable to see the traffic return. Quick high level of my traffic flow.

WWW -> External IP -> OpnSense (21.1) -> NAT (Port Forward) -> IPsecVPN -> OpnSense (20.7) -> Server

Interestingly however, if I TraceRoute from the server in question, the traffic goes out of the gateway as expected - so not sure if I have missed a setting in my IPSec VPN.

Not sure where to start debugging this now - any help would be appreciated.

I've tested this with both OpnSense 21.1 and 20.7 - same result.

Thanks
Leacho
February 10, 2021, 12:20:14 AM #1
An easy thing to so is use is Interfaces: Diagnostics: Port Probe.  You can try with both firewall's and the interfaces on each firewall

Also, your explanation is convoluted.  Can you use site A ..... , site B.....
February 12, 2021, 04:45:05 PM #2 Last Edit: February 12, 2021, 04:46:58 PM by leacho73
Sorry @Errored Out - I'll try and explain again:

DNS for SMTP server points to external IP of Site A:
Site A has a IPSec VPN to Site B
SMTP Server is located in Site B

I have setup a port-forward in Site A to point to the IP of the SMTP server in Site B - however, although I am seeing the connection on the firewall logs, I am not seeing the return path back to Site A from Site B - thus I am unable to make a TCP connection.

Local port forwarding works, and when I traceroute from the SMTP server, I can see that the gateway policy rule routes the traffic from Site B, back over the VPN to Site A and back to the internet - rather than the local Site B internet address.

I have tried a port probe, but I am not seeing any output as yet. Not sure if its cause I am using a virtual IP on the external interface?

Thanks
Leacho
February 16, 2021, 11:38:38 PM #3
I also ran into a similar issue which was due to PBR.  Keep in mind I have not configured IPSEC; some of this information may not apply.

What you may need to look at are some other areas as well (below)


1. How are your FW rules configured (specifically the ones relating to your SMTP connection issue).  Look at the GW they have been assigned. If you have other connections that work from site A to site B back to site A, look at what settings they have and try to match as a test.

2. What GW is port forward set to (should match the one in the FW rules)? 
3. What NAT port forward, 1:1, Outbound rules have you configured if any, and what is the GW set (again, should match the one in the FW rules)?

4. Note:As you stated "Site A has a IPSec VPN to Site B",  I think this is the most important area for your issue;   use tcpdump or wireshark to see what exactly is happening.  The webgui is not the best source and will not display everything.
If you are using policy-based routing IPsec, make sure you can identify where the packets are going.  PBR can send your packets to another interface and does not follow the FW rules you have put in place creating this problem. 

If you are using Route-Based Routing, the first 3 I listed will play a larger roll in your troubleshooting.

Print
Go Up Pages1
User actions