"This firewall" LDAP FW Rule Out on Split Tunnels
-
I have 5 interfaces, 1 WAN, 1 LAN, and 3 VPN (in a routing group). I want User Manager to utilize JumpCloud LDAP (previously configured and working) for logins. Seems JumpCloud has changed to AWS, and It no longer works over VPN.
How would I bypass port 636 on the 3 VPN interfaces out only use the WAN? Floating Rules, LAN Rules, multiple rules to the VPN interfaces, all will not work. When I disable the 3 VPNs, it all works flawlessly. When I enable, the port 636 traffic seems to go to the 3 VPNs. I've even went as far as creating a floating rule allowing all out - on the VPN interfaces only, to no avail.
Just want the router to send port 636 from itself (not the LAN) over the WAN. So frustrating. LAN was simple.
-
@totalchaos1010
So I assume, the gateway group is your default route.If you want pfSense to go out another gateway then the default, add a static route for the destination address.
-
@viragomann Thanks for the reply, A logical resolution indeed, but that is a little difficult since we are asking bout AWS here and a good 4000 IP addresses. I already have the block downloaded into pfBlocker, in my earlier attempts. But I cannot set a static route to 4000 IP addresses, and aliases are not avail in that scenario.
I am used to bypassing VPN's and using outgoing WAN no problem, but how does one do Split tunnels from the firewall itself? So baffling.
-
@totalchaos1010
I see. I was thinking about a static IP for the service.pfSense uses the routing table for outbound traffic.
Maybe you can policy route the traffic by a 'Quick' floating rule assigned to all VPN interfaces for direction 'out' from source 'this firewall' and destination port 636, but I've never done something like this.Otherwise the only option might be to policy route all the other traffic over the VPNs.
-
@viragomann We think alike, and that is exactly what I did. Floating rule, quick, selected the VPN interfaces, out, port any, dest port 636 IP any, etc etc. Sent the rule to the top. States showed traffic when ldap test was performed in user manager, as it once again fails because the outgoing interface is a VPN interface.
Was thinking creating a port alias, and bypassing that alias in LAN but the traffic never hits the LAN interface. It's coming direct from pfSense.
-
Solution: Grabbed a few IP's to the ldap server, created a host override in DNS resolver, and added a static route over the WAN to these IPs. Worked like a charm.