Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Firewall Rules are getting ignored - What am I missing?

    Scheduled Pinned Locked Moved OpenVPN
    4 Posts 2 Posters 700 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Gamienator 0G
      Gamienator 0
      last edited by

      Hello everyone,

      I'm having a VPS Server hosted on a datacenter. To have a secure connection to this server (sharing logs to graylog i.E.) I wanted to setup my pfSense to connect to this VPN Server.

      Everything is working great. On my VPS I created the VPN Server with that script: https://markontech.com/sysadmin/install-openvpn-server-on-debian-10-11/ (just changed 10. 8.0 to 172.45.0 because I'm already 10.8.0 somewhere else). Then altered the config to have another IP adress:

      auto eno0:1
        iface eno0:1 inet static
        address 172.50.0.1
        netmask 255.255.255.0

      Which means thats the settings ov /etc/openvpn/server.conf:

      port 1194
proto udp
dev tun
user nobody
group nogroup
persist-key
persist-tun
keepalive 10 120
topology subnet
server 172.45.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
push "redirect-gateway def1 bypass-dhcp"
push "route 172.50.0.0 255.255.255.0"
dh none
ecdh-curve prime256v1
tls-crypt tls-crypt.key
crl-verify crl.pem
ca ca.crt
cert server_c5oXyMh8FitcTXD1.crt
key server_c5oXyMh8FitcTXD1.key
auth SHA256
cipher AES-128-GCM
ncp-ciphers AES-128-GCM
tls-server
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
client-config-dir /etc/openvpn/ccd
route 192.168.0.0 255.255.255.0
status /var/log/openvpn/status.log
verb 3

      /etc/openvpn/ccd/pfSense is filled with this:

      ifconfig-push 172.45.0.20 255.255.255.0
iroute 192.168.0.0 255.255.255.0

      Following is setup on pfSense:

      a140d85d-7be0-4b18-a828-06cb9e3d50bb-grafik.png

      Whats suprising me is, that blocking firewall rules are getting ignored! What I wanted is, that every connection from home to vps is allowed, and every connection from vps to my homenetwork is blocked except two Ports for logging and monitoring. So I set the floating rule

      881e730a-db58-4398-8661-a6b1ba5e0998-grafik.png

      You can see I got a couple of more Side to sides, where it's working. But in this constallation not. Did I miss something?

      Thanks in advance!

      Cheers,
      Gamie

      RicoR 1 Reply Last reply Reply Quote 0
      • RicoR
        Rico LAYER 8 Rebel Alliance @Gamienator 0
        last edited by

        172.45.0.0/24, 172.50.0.0/24, 172.40.0.0/24 ๐Ÿค•
        You are using public IP space, RFC1918 is 172.16.0.0/12 (172.16.0.0 to 172.31.255.255).

        -Rico

        Gamienator 0G 1 Reply Last reply Reply Quote 0
        • Gamienator 0G
          Gamienator 0 @Rico
          last edited by

          @rico Oh my God ๐Ÿ˜ณ

          You're right!! Now I'm embarresed ๐Ÿ™ˆ. I change that as Quick as possible

          But that cant be the reason of the ignored rules, right?

          1 Reply Last reply Reply Quote 0
          • Gamienator 0G
            Gamienator 0
            last edited by

            Heyho,
            after a lot of digging in my states I found the solution.

            Just a update: The VPN Transfernetwork is 192.168.2.0/24 and the virtual NIC on the server got 192.168.10.2/24. After letting a ping happen I saw the state:

            192.168.2.1 -> 192.168.0.1

            and then it clicked! In this cases it sees teh connection from the transfer net, not the virtual IP. Buildung the correct Floating rules made everything happen like I want it.

            But thanks again for the hint with RFC1918! I was soo deep in the subnetting, that I overlooked that :(

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.