Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Limit access to (Open)VPN + Outbound NAT

    Scheduled Pinned Locked Moved Firewalling
    3 Posts 2 Posters 729 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • mgiM Offline
      mgi
      last edited by

      Hello,

      I have a pretty straight forward scenario where my LAN connects to remote hosts and network (±100 routes) via a S2S OpenVPN (pfSense is the client).

      | LAN | ——> | PFSENSE |  ——> | OPENVPN |

      I’m trying to limit access from LAN to the VPN (remote networks) using a FW rule and allow access only from specific hosts, but I can’t find the right combination. I tried to create a blocking in/out rule on the LAN interface, VPN interface and also a floating rule.

      There’s of course no point to create an “in” rule on the OVPN interface, but I desperately tried it anyway. I think the right rule would be either a floating “out” one attached to the OVPN interface or a LAN “in” rule allowing a specific source and then dropping anything else.

      Such rules, drop the access to the VPN completely. I reviewed logs and states, and then realized that (outbound) NAT is processed before FW. That basically blocks my tunnel IP address (at least it seems so).

      What would be the best way to limit the access from LAN to OVPN just to a few hosts?

      V 1 Reply Last reply Reply Quote 0
      • V Offline
        viragomann @mgi
        last edited by

        @mgi
        Assuming you have still the default LAN allow-any-to-any rule in place, I would block the desired parts LAN this way:

        Create an IP alias and add all LAN IPs to it, which you want permit access to the remote site.
        Then add a block rule to the top of the LAN rule set and state this alias as source with invert checked. At destination state the remote network (or an alias with all networks included that you route to the remote site in the VPN settings).
        This means then, all IPs not contained in the source alias are blocked. The allow-any-to-any will pass the rest.

        mgiM 1 Reply Last reply Reply Quote 1
        • mgiM Offline
          mgi @viragomann
          last edited by

          @viragomann

          Thanks for coming back.

          That was one of the approaches I tried, but it didn't work. The access to the VPN was blocked.

          Anyway, I scrapped everything and started from scratch. I created a block rule attached to the LAN where the src is an inverted list of a few hosts, and the destination is a list of hosts and networks routed via the VPN. This time, everything works great, and the access is allowed/blocked as it should be.

          I'm not aware of doing any wrong before, so I'm not sure why that didn't work. Maybe I just did something foolish that I didn't spot.

          I was hoping to cover this with a floating rule. That doesn't seem to be the option after reading about how the flow is processed in pfSense. I will have to replicate the rule across different interfaces.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.