VLANs and VPN
-
Hey guys! So I have been having some issues trying to get my VLANS to stop talking to each other as well as trying to allow my VPN connection access to servers on VLANs but I dont seem to be getting anywhere. As a side note the IP of my connection on the VPN is 192.168.170.2 and the rules are the same for the other VLANs! Please see the firewall rules attached. Im not an expert with PFSense so please be patient. Thank you!
-
@natethegreat21 how are you validating the traffic is clearing? Is it a ping? What's the source? Best bet is to find one spot, make it stop working, and then work from there (by duplicating/expanding rules).
Rules are also run from top to bottom.
Personally I would avoid Floating rules unless you absolutely have to have them. They wreck havoc on systems.
-
@rcoleman-netgate I am trying to RDP and ping the servers/vms from a hotspot and I tried at my office but no luck.. I will disable the floating rules and see if that helps.
-
@natethegreat21 Check packet captures, too, Windows Firewall is a royal PITB at times. I've seen networks from VPNs get rejected because they're not part of the local LAN.
-
@rcoleman-netgate I will take a package capture. Do you think I need to allow the OpenVPN port in windows firewall?
-
@natethegreat21 No, just run the test without changing Windows. Verify the traffic is going in the OVPN interface, then out the proper internal interface on the pfSense. If it is exiting the pfSense on the internal interface the issue is not related to pfSense.
-
@natethegreat21
Just to add, all the rules with the vpn network as source are useless. That network will never be a source on your LAN, WAN, or any other VLAN. -
@jarhead Thank you for the heads up. Whats the best way to allow my vpn connection to have access to all VLANs?
-
@natethegreat21 Your VPN should have the networks all declared (local networks in OVPN, P2s in IPsec).
Then you need to grant access on each interface for the VPN Network
-
@rcoleman-netgate Okay so I found the issue, snort was blocking the IP im using for port scanning.
-
@rcoleman-netgate I found from the logs that it thought I was a bot scanning the network. I really appreciate all the help you guy have given thank you so much!