[kwlug-disc] pfSense port forwarding over OpenVPN

Paul Nijjar paul_nijjar at yahoo.ca
Fri Jan 31 17:30:51 EST 2020


I think you are right, but instead of actually solving the problem I
ended up with a workaround. I used HAProxy to forward all SSL traffic
from the pfSense on SideA to ServerX. This gave me an IP on the local
domain, and then routing worked again.

Ugh. So much for my prospects of becoming a network admin.

- Paul


On Mon, Jan 27, 2020 at 02:18:31PM -0500, bob+kwlug at softscape.ca wrote:
> Paul,
> 
> The first thing that came to mind is that it is something to do with the source IP of the incoming connections and how they are not in scope of the L2L VPN tunnel.
> 
> As a simple confirmation of this, can you try NATing the source IP (ie: the IP that came from the Internet) to something that is in range on the local network or within the scope of traffic defined for the tunnel? If that works, then you can either leave the source NAT in, or you have to redefine the scope of the tunnel to include this type of traffic.
> 
> My $0.02
> 
> BB
> 
> > -----Original Message-----
> > From: kwlug-disc <kwlug-disc-bounces at kwlug.org> On Behalf Of Paul Nijjar via
> > kwlug-disc
> > Sent: January 24, 2020 2:44 PM
> > To: kwlug-disc at kwlug.org
> > Cc: Paul Nijjar <paul_nijjar at yahoo.ca>
> > Subject: [kwlug-disc] pfSense port forwarding over OpenVPN
> > 
> > This is a weird one, but a bunch of you are networking geniuses so I
> > am hoping you can help me out.
> > 
> > I have two sites: SiteA, and SiteB. SiteB has a web server, ServerX.
> > SiteA and SiteB are connected via a site-to-site OpenVPN. SiteA and
> > SiteB are both running pfSense as their firewall.
> > 
> > I want to do the following: have somebody from the outside world
> > connect to SiteA, use a NAT port forward to forward that traffic over
> > the OpenVPN link to SiteB, and have that traffic establish a
> > connection with ServerX. (Yes, this is ridiculous and upsetting, but
> > so is my existence. Bear with me.)
> > 
> > Here's what works:
> > 
> > - Traffic goes from the outside world  to SiteA
> > - The pfSense rules supposedly allow this traffic to pass over the
> >   OpenVPN connection (according to pfSense firewall logs)
> > - If another computer is on SiteA then it can connect over the OpenVPN
> >   connection to ServerX successfully
> > 
> > Here's what is broken:
> > 
> > - Despite the pfSense firewall logs saying that traffic is allowed
> >   over the OpenVPN connection, a packet inspection on that connection
> >   reveals no traffic is going through! Something is dropping the
> >   intended packets, and I do not know the culprit.
> > - As a result, I can see no traffic on the SiteB pfSense box.
> > 
> > My guess is that pfSense sees that the port-forwarded  traffic is
> > coming from a foreign IP address (not one of the local subnets) and
> > rejects the traffic from being relayed over OpenVPN. But I do not know
> > where/how in pfSense to confirm this, and I do not know how to fix it.
> > 
> > Help?
> > 
> > - Paul
> > 
> > --
> > Get tech event listings: https://off-topic.kwlug.org/watcamp
> > Blog: http://pnijjar.freeshell.org
> > 
> > _______________________________________________
> > kwlug-disc mailing list
> > kwlug-disc at kwlug.org
> > https://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
> 
> 
> 
> _______________________________________________
> kwlug-disc mailing list
> kwlug-disc at kwlug.org
> https://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org

-- 
Get tech event listings: https://off-topic.kwlug.org/watcamp
Blog: http://pnijjar.freeshell.org




More information about the kwlug-disc mailing list