OpenVPN on pfSense behind ISP router

Goal

Configure a OpenVPN server on my pfSense firewall. Tom has a video from 2020 on how to do this which is straightforward and clear, however I am in a weird situation: My pfSense is behind an ISP router which is proving complicated. I have admin access to it and can configure port forwards & static routes etc as needed.

Network Diagram

Here is a diagram of the network. The red line is symbolizing the OpenVPN connection I would like to configure.

Troubleshooting Steps Already Taken

The FIOS router is configured to have the pfSense firewall as a DMZ host - i.e. all traffic should bypass the FIOS router and allow the pfSense firewall to be fully exposed to the internet. I’m not certain that this is working correctly. I configured the port forward on the FIOS router just in case this DMZ function is not working properly. Is there anyway to test that the pfSense box is fully exposed to the internet?

I can connect to the VPN server on pfSense if I am on the 192.168.105.0/24 network - which is useless.
If I am on 192.168.1.0/24 network I cannot establish an OpenVPN connection when setting the OpenVPN server as 192.168.1.8 (pfSense WAN address from FIOS router). If I am outside both networks (i.e. on LTE or a public Wi-Fi, I’m unable to connect to the OpenVPN either.

pfSense OpenVPN logs are not showing any activity when I attempt to connect from the Family Network or the outside internet so I believe my problem is related to passing traffic through the FIOS router/firewall.

Next Step - How to test DMZ?

I believe my next step is to test if the pfSense box is fully exposed to the internet or if some traffic is being blocked by the FIOS firewall. Does anyone know of a method to test this?

I realize this is a fairly unique problem, but has anyone encountered something similar or have any pointers? Much appreciated.

Hi Charles,

It sounds like your FIOS modem/router is blocking, as you suspect. I recently set up a pfSense box behind an AT&T router and it was a bit challenging. (the interface on their ‘Pace’ unit is less than desirable).

nmap is a useful tool to check ports. In fact, it’s available as a package to install in pfSense.

Also, Steve Gibson, over at Gibson Research has created a tester called “Shields-Up!” that may be helpful.

You will see that you can have the tool scan common ports, or you may specify a specific port to scan. I just tested that and it worked, as I know I have a port open, and it reported back that it is open.

Hope that helps,
Sean

Hi Sean,

Thanks for your response. I ran a few nmap tests and have concluded the FIOS router is not blocking traffic to pfSense.

nmap testing FROM Family Network (Red network on the diagram in the first post) TO pfsense (blue network)

macbook:~ charles$ nmap 192.168.1.8
Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-16 13:38 EST
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.12 seconds

First test shows that pfSense may be down. I know it is not down so I will attempt using the -Pn flag as nmap suggests.

macbook:~ charles$ nmap -Pn 192.168.1.8
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-16 13:40 EST
Nmap scan report for pfSense.fios-router.home (192.168.1.8)
Host is up.
All 1000 scanned ports on pfSense.fios-router.home (192.168.1.8) are filtered

Nmap done: 1 IP address (1 host up) scanned in 402.95 seconds

While running the above test, I looked at the pfSense logs. Specifically: Status/System Logs / Firewall
I was able to see tons of firewall log entries originating from the laptop running nmap. pfSense is denying/blocking/ these pings. So it looks like traffic originating from the “Family Network” is reaching the pfSense firewall and then being blocked by pfSense. This was not my original hypothesis.

It looks like my problem is that the pfSense firewall is blocking the attempted VPN connections into the OpenVPN service on pfSense. In the firewall logs I found the entry that is blocking the attempted OpenVPN connection. The error message (click on red X icon in leftmost column of log) reads as follows:

The rule that triggered this action is:
@5(1000000103) block drop in log inet all label “Default deny rule IPv4”

When I setup the OpenVPN in pfSense using the built-in wizard, it auto configured the Firewall Rule and OpenVPN rule. It looks like the default firewall rule is blocking the connection despite the wizard creating a WAN rule to permit such a connection. Back to further research, thank you for the nmap pointers - you’ve helped me to the next step, hoping to document my process here in case someone else comes along the same problem in the future.

Is the OpenVPN rule above the default deny rule in your firewall settings?

I apologize if I am not understanding this correctly but wouldn’t you pass all OpenVPN traffic (example port 1194 TCP or UDP) from the FIOS router to external 192.168.1.8 (pfSense). Again, this depends on the OpenVPN setup of course.

What does your rule(s) look like on the FIOS router and pfSense? During the OpenVPN setup, did it allow to auto-create the rules required? I think it is created under the WAN in pfSense.

This is what my rule looks like under the WAN setting on pfSense’s firewall…

Also, when you run nmap, are you pointing it to the external WAN IP address on the FIOS connection, from your location? You’ll need to initiate the connection external to the blocked network to examine with nmap.

@SKTC_Sean Thank you. Do you have the port 21195 UPD being forwarded from the FIOS router as well to your pfsense box? Do you see anything in the OpenVPN Server logs?

@snooopanda2168 - Sure. I don’t have a FIOS router/modem. I have a plain old cable modem, which eliminates some headaches.

But, it sounds like Charles may not be having an issue with FIOS, but with the order of his firewall rules, or the rule itself. Of course port 21195 is non-standard, but I did that on purpose, per @LTS_Tom’s suggestion.

The default deny rule is not visable at all in my Firewall rules. Some google searching shows me that this cannot be changed. The OpenVPN rule is in the “WAN” tab of my firewall rules and is the top rule.

Yes- the FIOS router should pass all OpenVPN traffic to pfSense (actually ALL traffic!).

The FIOS router has a feature called DMZ Host. If a device is setup as a DMZ host than the FIOS router will pass-through ALL traffic to this device - no connections/ports/packets will be blocked. This is ideal for my situation as I would essentially like to bypass the FIOS router. The only reason the FIOS router even exists is because I am living with family on a temporary basis.

Mine looks very similar:

I had ran nmap from FIOS LAN pointing at the pfSense WAN. I was planning to run nmap externally from FIOS until I determined that the pings were hitting pfSense and were being blocked by a pfSense rule. I figure step one is to be able to connect from within the FIOS network- once that is working properly move forward with connections that are external from both networks.

Thanks for all the great questions - these have been very helpful.

1 Like

Update!

The problem has something to do with pfBlockerNG.

I use pfBlockerNG for GeoIP filtering/blocking. I turned off all GeoIP blocking and connected with success from my phone on the cell network. I think somehow the VZW cell network was being blocked by pfBlockerNG.

Of course… a far simpler problem that should have been my first thought!

1 Like

I hate it when it is simple but also relieved. Glad to you hear you got it working or determined what was causing the issue.

Agreed. I think I need to review the pfBlockerNG “Top Spammers” list - I have noticed some sites being blocked that shouldn’t be. I had to whitelist the nextcloud community forums, so I think some of the default feeds might be overly broad for my needs.

Great news!! This may very well be helpful to this community in the future. Thanks for letting us know.

2 Likes