Port forward on VPN & Wan

Started by mow4cash, February 17, 2017, 04:56:03 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 17, 2017, 04:56:03 PM
I use OpenVpn to connect to PIA vpn provider. If I pull routes from PIA it then pushes all traffic through the VPN and disregards the firewall rules I use for selective routing on either the PIA gateway or Wan gateway. If I don't pull routes from PIA everything works correctly but then my ports won't forward on the Wan Interface but work on the PIA Interface. When I pull routes the opposite happens. How can I get this to work so I can port forward on both interfaces at the same time? I'm thinking I need to add in custom policy routing?
February 20, 2017, 04:30:00 PM #1
I found a PFsense thread of someone with the exact same issue. Hopefully this helps better expalin my issue. I have posted the main points in this post but here is the link for the full thread.
https://forum.pfsense.org/index.php?topic=65094.msg552331#msg552331

PFsense post:
I have an issue with the port forwarding from VPN.  Everything works correctly (have the port forwarded from the OpenVPN interface to my local station)  If I use the routes added automatically with the OpenVPN connection, the port forwarding is great, but it adds a few routes including 0.0.0.0/1 that go out the vpn interface which takes over my default gateway.  When I add route-nopull and just copy all the routes that it adds except for 0.0.0.0/1, the VPN works fine except the port doesn't forward anymore.  If I had that route, it starts working again. 

Pfsense Reply:
From what I can understand, the reason is that the reply-to address for some reason isn't used for the return packets for the associated firewall rule for the port forwarding NAT rule. I've managed to get it to work by:

On the NAT port forwarding rule, select "none" under "Filter rule association". Create the rule manually instead, under floating rules. The rule is basicly a "copy" of the one automaticly created by NAT:

Pass, Quick, in, IPv4, <protocol>, source: any, Destination: port forwarding destination host, Destination port range: forwarded port

Make sure it's high up/on top in the floating rules, and make sure it's a quick rule. When I look in rules.debug, the effect of this is simply that the rule (it's the firewall rule that contains the reply-to address) ends up much higher in the resulting ruleset, and that seems to make all the difference. I haven't quite figured out why yet.

Me:
I have tried this fix with no luck. I am so lost trying to get this to work. Any help would be greatly appreciated.




Print
Go Up Pages1
User actions