Re: [pfSense] Port forwarding from multiple interfaces - reply packets are forwarded through the wrong interface.

Fri, 09 May 2014 08:15:57 -0700 

Hi,
Thanks for your answer. Unfortunately I already have created this interface and still it does not work ;-( 

Looking at my state table, I have an entry
mail_server:25 <- 10.99.10.2:25 (open vpn IP) <- 209.85.215.41:53282 (Gmail)


So it looks like, despite there is an entry for the connection, the 
orange firewall seems to use the default gateway and WAN interface (the 
one of the ISP) instead of the interface from which the SYN packet 
arrived (but still, the source IP is correctly changed to the IP of the 
of the VPN interface - so I am sending bogus packets to my ISP).



Is my understanding right in assuming that NAT should make sure it uses 
the same interface as the incoming one (only applying the routing table 
indeed leads to using the pppoe interface which is what I see but not 
what I want)? If not how can I force the outgoing interface to be the 
same as the incoming interface?


Best regards

Thierry


On 05/09/2014 03:22 PM, Jim Pingle wrote:

On 5/9/2014 8:02 AM, Thierry De Leeuw wrote:

I have some trouble to setup port forwarding with multiple interfaces.
When a connection is initiated from the VPN tunnel (SYN), the SYN/ACK
is sent from the VPN IP but throught the pppoe interface (which is the
default gw, but I would expect the NAT to take care of that - maybe I
am wrong?).
I would like that my server is accessible from both pppoe and VPN tunnel.

The "multiple interfaces" bit works fine when they're both actually
WANs, but when one is a VPN it doesn't work that way by default.

To get the behavior you want with OpenVPN, where reply-to sends the
packets back the way they came in, you'll need to do the following:

1. Assign/enable the OpenVPN interface from Interfaces > (assign). Set
it to an IP type of 'none'
2. Restart the VPN (edit/save)
3. Move firewall rules from the OpenVPN tab to the new interface tab. No
rules on the OpenVPN tab can match the traffic.

Jim
_______________________________________________
List mailing list
[email protected]
https://lists.pfsense.org/mailman/listinfo/list


--

Thierry De Leeuw
Avance Consulting SPRLu.

Rue Warandeveld, 29
1120 Neder-Over-Hembeek
Belgium

Mobile: +32 479/470.512
TVA-VAT: BE 0876.491.406


_______________________________________________
List mailing list
[email protected]
https://lists.pfsense.org/mailman/listinfo/list





















					Reply via email to