Ports won't open on PfSense

Networking Networking Software
1

Hi

I have a problem with my pfSense box. I built a pfSense box bases on an alix APU board. Works perfectly fine. But I have one problem: I just can't get some ports open.

My setup: the pfbox gets its WAN-IP through PPPoE from my Swisscom (ISP in Switzerland). pfsense is running on 2.2.4

I created an OpenVPN Server on my pfsense then I wanted to open the port for my OpenVPN Server. I did not used the standard-port 1194. I used 10337 and some others. When I run an nmap portscan of my notebook that is connected through my mobile hotspot (so not in the same LAN) I can see my opened Port. Strangely I see Port 80 and 53. But I did not open those. I thought that nmap is scanning my Swisscom Router-thingy but nmap actually did recognized the OS, FreeBSD. So it scans the pfbox.

Thanks in advance

2

Whats does your port config look like for openvpn? Can you post the rules.

3

For OpenVPN: IPv4 then any any any...

For the WAN interface: IPv4 - UDP (it is UDP also on the server) DST: is my pfSense box LAN-IP. Port: 10337, Gateway: *, Queue: none

The WAN Rule is the first rule. Then ICMP so I can ping and no other rules.

See:

wanports.PNG769x276 22.2 KB

and

greets

4

is 10.10.10.254 your wan address? If your passing pppoe through to the router it should be set to your wan address and not local address. (i think)

5

Yes your right but No my PPPoE Passthrough gets a valid WAN Address. Should the DST be the WAN Address?

6

The rule should be the wan address from what i understand from this https://doc.pfsense.org/index.php/OpenVPN_Remote_Access_Server

Which makes sense as your trying to access it from the wan.

7

tried it, did not work.. run another nmap. now I see port 113, 2000 (cisco sccp) and 5060 (sip)

I think I'll call my ISP

8

That wan address isn't a public IP, are you behind another router? If so you'll need to forward the port on that router or set the pfsense machine as the DMZ.

9

That's your problem. Change this to 'wan address' and make sure that in your openvpn server config you have the interface set to wan

10

Changed that, did not work

11

I get my WAN IP through PPPoE from my Swisscom Router, it is valid. Does PPPoE not forward all Ports to my pfbox?

12

NAT.

You need to set up a NAT ALONG with a firewall rule allowing that port in (they'll mimic each other). I couldn't get my Murmur server to work properly until I did this.

Let me know how you get along - I can help you more when I'm at home.

13

Not in this case as the VPN server is on the pfsense box, you only need to open the port on wan.

If you are sure that you are not behind a router and your wan address is a public IP then make sure the wan rule is set as I described with the destination set to 'wan address' not the actual ip but the option that says wan address. Then make sure that in your openvpn config the interface is set to wan.

If all that is set correctly make sure that openvpn is actually running and there aren't any errors in the log.

If that's all good then it should be working. When you test it have you actually tried connecting to the server or are you just doing a port scan with nmap?

14

In for the update/fix!

Did you get it working?

15

not at home atm, but i'll try it this evening - thanks!

1 Like
16

nmap an connecting to the vpn. when I try to connect from outside i get TLS Handshake errors

17

Do you have TLS authentication enabled? If so try disabling it on both the client and server.

If you're seeing errors on the server log when you try to connect then the port is open.

Again, you don't need to configure NAT in this case because you're not forwarding the port anywhere.

18

Thanks fot the help! I disabled TLS auth. on both client and server. I still get the error. I'll change to another
swisscom router soon. maybe this will work - hopefully it allows me to bridge it like my current one. Thanks y'all for the help!

greets

19

What does the server log say?

20

So a long time has passed since my last post and lots of things have changed.

I got a new router from my ISP, changed it to bridged mode. I updatet my pfSense to the latetst 2.2.6 build. I'm still not able to open ANY Ports. I have opened lots of diffrent ports and my nmap does not see them. Also my OpenVPN does not work. The logs says TLS authentication failed, the client to. I checked my OpenVPN installation a dozen times and I reinstalled it a few times with new certificates. On the pfSense docs theirs a thread about problems with OpenVPN Connection failed. All things on this list im pretty shure I got right except for one - the defined port must be open. And I can't open any ports

EDIT: strange thing is I'm able to allow ICMP traffic to the router for pings...

OpenVPN LOG:

I connected to the vpn from my internal network, but I get the same error when I'm connecting from outside.

Jan 6 20:46:11
openvpn[20565]: 10.10.10.136:51312 TLS Error: TLS handshake failed


Jan 6 20:46:13
openvpn[20565]: 10.10.10.136:51313 TLS Error: TLS key 
negotiation failed to occur within 60 seconds (check your network 
connectivity)


Jan 6 20:46:13
openvpn[20565]: 10.10.10.136:51313 TLS Error: TLS handshake failed


Jan 6 20:46:15
openvpn[20565]: 10.10.10.136:51314 TLS Error: TLS key 
negotiation failed to occur within 60 seconds (check your network 
connectivity)


Jan 6 20:46:15
openvpn[20565]: 10.10.10.136:51314 TLS Error: TLS handshake failed

1.PNG738x152 6.96 KB