[pfSense] Port forwarding from multiple interfaces - reply packets are forwarded through the wrong interface.

Tue, 06 May 2014 08:17:08 -0700 

Hi,
I have some trouble to setup port forwarding with multiple interfaces. When a connection is initiated from the VPN tunnel (SYN), the SYN/ACK is sent from the VPN IP but throught the pppoe interface (which is the default gw, but I would expect the NAT to take care of that - maybe I am wrong?). 
I would like that my server is accessible from both pppoe and VPN tunnel.

Here is more info:

_Situation before:_
I had a pppoe interface from my ISP (WAN aka pppoe0), I have an interface for my DMZ (where my mail server is located -Orange aka em2 - range 10.50.1.0/24). 
I had an inbound NAT rule
WAN tcp src:* destAddr:WAN address destPort:25 NatIP:mail(ex 10.50.1.1) NAT port:25 
and the firewall rule that allows traffic from WAN to mail server on port 25

This is working fine.

_Current situation:_
ISP WAN and DMZ as before but I have added an open vpn tunnel to a provider that gives me a fixed IP address. The interface (VPNFIXED aka vpnc3) address on my firewall is 10.99.10.2, the gateway is 10.99.10.1. 

I have added the following rule for port forwarding:
VPNFIXED tcp src:* destAddr:VPNFIXED address destPort:25 NatIP:mail(10.50.1.1) NAT port:25
and of course the associated firewall rule that allows traffic from VPNFIXED towards mail server.
When a SYN packet arrives through the vpnc3 interface (I see from SYN 209.85.217.181 to 10.99.10.2:25), it is then correctly passed on the em2 interface (209.85.217.181 --> 10.50.1.1:25) and the reply from the server is, as expected, a SYN/ACK on em2 (10.50.1.1 --> 209.85.217.181).
The problem is that the SYN/ACK, is then passed to the pppoe0 interface instead of the vpnc3 (I see on pppoe SYN/ACK 10.99.10.2 --> 209.85.217.181). This is strange as it is using the IP address of the VPNFIXED.
The routing table has the ISP as default route and 10.99.10.0/24 is marked as U and has the right vpnc3 interface. 

I am using pfSense .2.1.3-RELEASE (amd64).

Any help would be greatly appreciated !

Thanks in advance!

Thierry


_______________________________________________
List mailing list
[email protected]
https://lists.pfsense.org/mailman/listinfo/list

Reply via email to