Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Common firewall rules for subnet and vpn

    Firewalling
    2
    3
    192
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jmbraben
      last edited by

      I have an:

      • internal VLAN subnet 192.168.70/24
      • an openvpn tunnel IPv4 Tunnel Network 192.168.71.0/24
      • A wireguard tunnel with interface configured 192.168.72.0/24

      In the firewall rules, these show up as 3x different set of rules

      • Currently I'm duplicating the rules and allowing these 3x subnets to talk to one another.

      What I'm trying to figure out is how to get the rules shared between these 3x subnets

      • Ideally, they'd all just get treated as a 192.168.70/22 subnet by the firewall and they'd all share the same rules.
      • Or some way to share the rules (without copy/paste) so that when I change the rules for this group, I don't have to do it 3x times.
      • .ie any traffic coming through 192.168.70/22 I want configured the same whether it is local or from one of the VPNs.

      I really feel like I have to be missing something, but I'm not seeing it.

      • Thanks much for any help
      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @jmbraben
        last edited by

        @jmbraben
        You can do this with floating rules. This can be applied to multiple interfaces and interface groups.
        But I'd suggest to create an interface group and add your rules to this one. So they are applied to all member interfaces.

        You have to know, that WireGuad and OpenVPN are already predefined interface groups, but including the respective VPNs only.

        To add a VPN to a custom interface group, you have to assign interfaces to the VPN instances before. You can do this in Interfaces > Interface Assignments.
        Under "available network ports" you can see the VPN instances, e.g. ovpns1 or tun_wg0. Select your VPN instance here, click Add, open the new interface settings, enable it and state a proper name.

        Then you can add these interfaces to a custom interface group. After creation you get a new rules tab.

        You also should know, that rules on an interface group are probed before rules on member tab. So you can have rules on both, but the group rules have priority.

        J 1 Reply Last reply Reply Quote 1
        • J
          jmbraben @viragomann
          last edited by

          @viragomann
          Thanks so much for the help...this was exactly what I was looking for (but didn't know existed 😃 )

          1 Reply Last reply Reply Quote 0
          • First post
            Last post