[kwlug-disc] pfSense port forwarding over OpenVPN
Paul Nijjar
paul_nijjar at yahoo.ca
Fri Jan 24 14:44:09 EST 2020
This is a weird one, but a bunch of you are networking geniuses so I
am hoping you can help me out.
I have two sites: SiteA, and SiteB. SiteB has a web server, ServerX.
SiteA and SiteB are connected via a site-to-site OpenVPN. SiteA and
SiteB are both running pfSense as their firewall.
I want to do the following: have somebody from the outside world
connect to SiteA, use a NAT port forward to forward that traffic over
the OpenVPN link to SiteB, and have that traffic establish a
connection with ServerX. (Yes, this is ridiculous and upsetting, but
so is my existence. Bear with me.)
Here's what works:
- Traffic goes from the outside world to SiteA
- The pfSense rules supposedly allow this traffic to pass over the
OpenVPN connection (according to pfSense firewall logs)
- If another computer is on SiteA then it can connect over the OpenVPN
connection to ServerX successfully
Here's what is broken:
- Despite the pfSense firewall logs saying that traffic is allowed
over the OpenVPN connection, a packet inspection on that connection
reveals no traffic is going through! Something is dropping the
intended packets, and I do not know the culprit.
- As a result, I can see no traffic on the SiteB pfSense box.
My guess is that pfSense sees that the port-forwarded traffic is
coming from a foreign IP address (not one of the local subnets) and
rejects the traffic from being relayed over OpenVPN. But I do not know
where/how in pfSense to confirm this, and I do not know how to fix it.
Help?
- Paul
--
Get tech event listings: https://off-topic.kwlug.org/watcamp
Blog: http://pnijjar.freeshell.org
More information about the kwlug-disc
mailing list