Firewall rules for VPN not routing
-
Hello,
I have a couple of computers on my network that I like to run through a VPN. I have had this working for a year or two under different scenarios. Today, I decided to stop using the separate ports on my Protectli (software switching) and put in a mini flex switch instead. I finally got all of my vLANs setup and things seemed to be back to normal...except my VPN rules. I have a rule under a vLAN that should pass traffic from the alias computers to the wireguard gateway and tag it with "vpntraffic". I also have a floating rule to block all traffic tagged as "vpntraffic".
After getting everything setup, I remoted in to one of the computers to verify if it was using the VPN. When I checked online, the IP was from my home. I decided to changed the rule so that the default gateway was chosen and the traffic still got out to the internet. The floating rule should have blocked the traffic. I changed the rule again to block all traffic for that alias. I am still getting to the internet.
I am running pfSense+ on 23.09. I have reset the states table and have rebooted a few times. I am not sure how I would troubleshoot this and not sure what information I need to provide. Thank you!!
-
@NotAHacker
I'm wondering, what rule the screenshot is showing. It might wether be the tagging rule on the interface nor the floating block rule.Anyway, since it didn't get any hit, I assume, not any packet from an IP in teh VPNClients alias was arriving at this interface.
So possibly the rule is on the wrong interface? -
It is the rule on the vLAN interface called [MY]Office, which is on the 192.168.69.X subnet. One of the computers in VPNClients is 192.168.69.104. The first time I set up the vLAN, pfBlocker did not add a rule to the interface. When I deleted the interface and recreated it, the pfBlocker rule showed up.
I am not sure how I can troubleshoot where the client is getting its internet from and how it is bypassing the rule.
-
@NotAHacker
So you say, that client is member of the alias, can only use IPv4 and the rule isn’t applied?
The only other possibilities are other pass rules, which are probed before, e.g. floating or interface group rules. Are there any? -
I do not have IPv6 enabled anywhere. Here is the Floating rule I have:
The interface group which was autocreated, called "WireGuard", does not have any rules in it.
All this was working just fine when I used the extra port on my Protectli box. But I read somewhere that software switch is not as efficient as a hardware switch and since I had a hardware switch laying around, I thought I would use that. Also, this helped me need one less vLAN since my wired and wireless vLANs could be grouped into one interface.
Thanks!
-
@NotAHacker
As I said already, there isn't any packet hitting this pass rule with the VPNClients alias as source.So for troubleshooting I would sniff the traffic on this interface and see if the packets are coming in there. If not check the other interfaces.
Or if you have just a handful pass rules, enable the logging in each, ensure each has a unique name and check the firewall log then to see, which rule is triggert. -
Thank you for taking the time to walk me through this! I did some sniffing and it was all going through the correct interface. So I looked further into it and I found the issue. And what a simple, stupid mistake I made!!
I had put "vpntraffic" into Tagged, not Tag. It is funny how these little things get away from me sometimes.
Also, your username sounded familiar, so I looked at my history and you helped me 2.5 years ago with a VPN issue. Thank you for continuing to help people out and for being patient!!
-
@NotAHacker
Such little mistakes may happen. But nice that you got it sorted.