Common firewall rules for subnet and vpn
-
I have an:
- internal VLAN subnet 192.168.70/24
- an openvpn tunnel IPv4 Tunnel Network 192.168.71.0/24
- A wireguard tunnel with interface configured 192.168.72.0/24
In the firewall rules, these show up as 3x different set of rules
- Currently I'm duplicating the rules and allowing these 3x subnets to talk to one another.
What I'm trying to figure out is how to get the rules shared between these 3x subnets
- Ideally, they'd all just get treated as a 192.168.70/22 subnet by the firewall and they'd all share the same rules.
- Or some way to share the rules (without copy/paste) so that when I change the rules for this group, I don't have to do it 3x times.
- .ie any traffic coming through 192.168.70/22 I want configured the same whether it is local or from one of the VPNs.
I really feel like I have to be missing something, but I'm not seeing it.
- Thanks much for any help
-
@jmbraben
You can do this with floating rules. This can be applied to multiple interfaces and interface groups.
But I'd suggest to create an interface group and add your rules to this one. So they are applied to all member interfaces.You have to know, that WireGuad and OpenVPN are already predefined interface groups, but including the respective VPNs only.
To add a VPN to a custom interface group, you have to assign interfaces to the VPN instances before. You can do this in Interfaces > Interface Assignments.
Under "available network ports" you can see the VPN instances, e.g. ovpns1 or tun_wg0. Select your VPN instance here, click Add, open the new interface settings, enable it and state a proper name.Then you can add these interfaces to a custom interface group. After creation you get a new rules tab.
You also should know, that rules on an interface group are probed before rules on member tab. So you can have rules on both, but the group rules have priority.
-
@viragomann
Thanks so much for the help...this was exactly what I was looking for (but didn't know existed )