Pfsense connecting to openvpn. trying to redirect some ports through the pfsence which is firewall/openvpn/internetgateway

i have internal network using pfsence as GW to internet and openvpn to a vps
i need to have port 80 in vps forwarded throught to a webserver internal to my network. vps runing ubuntu server. i set the iptables to forward port 80 throught tun0 and i can see when i open a web borowser out side of my network i can see packets hitting the tun0 nearside and on pfsence i can see it hiting the openvpn gw. issue i have is i lose the packets there. i have a port forward set up but it seems not to be following it as on my web server i am not seeing port 80 traphic hitting it. and i am only seeing 1 way traphic through out. does any one have an idea what i need to route the traphic from the openvpn address to my internal network so it will follow the port redirect? NB i do not want to make openvpn DGW as i need most of my trapfic not going though the vps. as that seems to work fine but is not a solution

You see a tcp syn packet going: Internet->vps->dnat magic->tun0->encrypted->pfsense interface->pfsense local lan interface-> x (disappears, or gets delivered but no reply) .

It sounds like either reverse path filtering on the webserver is causing it to be dropped (who knows where the replies would be going anyway). Or maybe it’s not dropped and the syn ack is generated by the webserver host but getting dropped somewhere along the wrong path.

Ugh, I don’t remember FreeBSD/pfsense routing that well… I’m sure there’s a way to do this:

Some common patterns I’ve seen before are

  • to both dnat and snat the packets, causing webserver to see a src ip of the vps on the tunnel end, and sending a reply to there… probably easy, but your webserver logs all see the VPS ip… sucky but easy

  • build an ipip or gre or OpenVPN tunnel all the way from VPS to your webserver, make your webserver send all internet traffic through VPS.

  • use a separate routing table or routing rule for those packets, specifically:

    • use firewall to fwmark the packets with source port 80, or source user on Linux or something else
    • use firewall connection tracking to mark packets originated through the firewall with fwmark
    • … find another way to differentiate the source of the connection, e.g. set dscp bits differently, and use that to fwmark.

Then using ip rules let all packets that firewall mark follow a different routing table that would lead the packet through the correct interface back.

If I were you I’d try doing an additional snat to verify there’s nothing else fishy, and then dive into firewall connection tracking and policy based routing.

(In case you’re new to Linux networking/routing. Yes you can have multiple network namespaces in Linux, each has multiple routing tables, even though you typically only mess with one and you can use ip rules per namespace to single out packets accordingly to some criteria that could even be determined by the firewall and choose non-default routing tables for those).

thanks will look into that. i was under the impression that a nat on the pfsense server whould handle the return path. but creating a second openvpn from the webserver whould prob solve issue as well though whould prefer have one central in/out location… also will look if i can fwmark the packets