Re: [pfSense] Port forwarding from multiple interfaces - reply packets are forwarded through the wrong interface.

Fri, 09 May 2014 05:03:07 -0700 

Hi

Does anybody has any idea on the issue?

Thanks!

Thierry
On 05/06/2014 05:16 PM, Thierry De Leeuw wrote:

Hi,
I have some trouble to setup port forwarding with multiple interfaces. When a connection is initiated from the VPN tunnel (SYN), the SYN/ACK is sent from the VPN IP but throught the pppoe interface (which is the default gw, but I would expect the NAT to take care of that - maybe I am wrong?). 
I would like that my server is accessible from both pppoe and VPN tunnel.

Here is more info:

_Situation before:_
I had a pppoe interface from my ISP (WAN aka pppoe0), I have an interface for my DMZ (where my mail server is located -Orange aka em2 - range 10.50.1.0/24). 
I had an inbound NAT rule
WAN tcp src:* destAddr:WAN address destPort:25 NatIP:mail(ex 10.50.1.1) NAT port:25 and the firewall rule that allows traffic from WAN to mail server on port 25 

This is working fine.

_Current situation:_
ISP WAN and DMZ as before but I have added an open vpn tunnel to a provider that gives me a fixed IP address. The interface (VPNFIXED aka vpnc3) address on my firewall is 10.99.10.2, the gateway is 10.99.10.1. 

I have added the following rule for port forwarding:
VPNFIXED tcp src:* destAddr:VPNFIXED address destPort:25 NatIP:mail(10.50.1.1) NAT port:25
and of course the associated firewall rule that allows traffic from VPNFIXED towards mail server.
When a SYN packet arrives through the vpnc3 interface (I see from SYN 209.85.217.181 to 10.99.10.2:25), it is then correctly passed on the em2 interface (209.85.217.181 --> 10.50.1.1:25) and the reply from the server is, as expected, a SYN/ACK on em2 (10.50.1.1 --> 209.85.217.181).
The problem is that the SYN/ACK, is then passed to the pppoe0 interface instead of the vpnc3 (I see on pppoe SYN/ACK 10.99.10.2 --> 209.85.217.181). This is strange as it is using the IP address of the VPNFIXED.
The routing table has the ISP as default route and 10.99.10.0/24 is marked as U and has the right vpnc3 interface. 

I am using pfSense .2.1.3-RELEASE (amd64).

Any help would be greatly appreciated !

Thanks in advance!

Thierry



_______________________________________________
List mailing list
[email protected]
https://lists.pfsense.org/mailman/listinfo/list


--

Thierry De Leeuw
Avance Consulting SPRLu.

Rue Warandeveld, 29
1120 Neder-Over-Hembeek
Belgium

Mobile: +32 479/470.512
TVA-VAT: BE 0876.491.406


_______________________________________________
List mailing list
[email protected]
https://lists.pfsense.org/mailman/listinfo/list

Reply via email to