Ghost-like firewall tab (OpenVpn) and how to delete it

left4apple

I really need some help here. It's driving me crazy.

I recently backed up pfSense from one machine and restored it to another machine. Everything works fine, the network, port forward they all worked well. However, in the firewall rule page, there are two OpenVPN related tab.

The first OOpenVPN tab has no rule. And the 2nd OpenVPN has the allow all rule to make the VPN work. I'm pretty sure before the migration there was only one tab.

My Interfaces setup is this:
Screenshot 2023-05-11 at 21.41.02.png

As you can see, the name of the interface is set to O+OpenVPN on purpose.

In the exported XML backup file, the interface config is this:

<opt2>
	<descr><![CDATA[OOpenVPN]]></descr>
	<if>ovpns1</if>
	<enable></enable>
	<spoofmac></spoofmac>
</opt2>

...

The <filter> config is

<rule>
	<id></id>
	<tracker>1683866084</tracker>
	<type>pass</type>
	<interface>openvpn</interface> // This isn't the name of the interface,
                                       //which should be `opt2`
	<ipprotocol>inet</ipprotocol>
	<tag></tag>
	<tagged></tagged>
	<max></max>
	<max-src-nodes></max-src-nodes>
	<max-src-conn></max-src-conn>
	<max-src-states></max-src-states>
	<statetimeout></statetimeout>
	<statetype><![CDATA[keep state]]></statetype>
	<os></os>
	<source>
		<any></any>
	</source>
	<destination>
		<any></any>
	</destination>
	<descr><![CDATA[AAllow VPN]]></descr>
	<created>
        ...
	</created>
	<updated>
        ...
	</updated>
</rule>

<separator>
	<opt1></opt1>
	<wan></wan>
	<lan></lan>
	<opt2></opt2>
	<openvpn></openvpn>
</separator>

Even if I remove opt2 from separator list, after restoring the backup file the tab still comes back.

Could someone help me understand why the OpenVPN tab always respawn? Thanks!

left4apple

If I add a rule under the first OOpenVPN tab, it'll appear on the opt2 interface in the config file, because opt2 is the virtual interface that created for OpenVPN

<rule>
	<id></id>
	<tracker>1683867315</tracker>
	<type>pass</type>
	<interface>opt2</interface>
	<ipprotocol>inet</ipprotocol>
	<tag></tag>
...
</rule>

heper

@left4apple and what is the problem exactly?

This is just an interface that is mapped to an openvpn-instance. It's perfectly normal to have a tab for each interface

johnpoz

@heper said in Ghost-like firewall tab (OpenVpn) and how to delete it:

It's perfectly normal to have a tab for each interface

exactly.. But the question would be why are they assigning an interface to openvpn "server" instance.. That is normally done when you create a client vpn connection.

Example - see here, I have a ns1vpn and openvpn.. the interface is assigned to the client vpn instance..

stephenw10

The 'OpenVPN' tab is like an interfaces group for all openvpn traffic. It applies to clients and servers that have not been assigned as separate interface and those that have.
If you assign an OpenVPN client or server it becomes an interfaces and gets it's own tab which is what you are seeing there. It's expected.
Assigning a server allows you to apply different firewall rules to it.
Importantly it also applies route-to/reply-to tags to traffic passed there which can be required in some some situations. But only if traffic is passed on the assigned interface tab and not the group tab which applies first like all interface groups.
I would remove the pass rule from 'OpenVPN' and put it on 'OOPENVPN' instead.

Steve

left4apple

Ah I see. Perhaps in my previous setup, the OpenVPN server wasn't assigned to an interface!

Thanks everyone for the explanation!