Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    firewall ruleset for different tenants to grant access to their subnets/services

    Scheduled Pinned Locked Moved OpenVPN
    2 Posts 2 Posters 289 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      alexanderlang
      last edited by

      Hi folks,

      I run pfSense as a border router/firewall/ OVPN gateway for multiple tenants, lets call them group A and B.
      I run two OVPN servers on this firewall, the users of group A and B connect to their OVPN service respectively, lets say one service on WAN-IP:1194 and the second on WAN-IP:1195
      I used the apporach of assigned OVPN Interfaces as mentioned in the docs, so I can filter traffic for group A and B individually on their respective firewall tab.
      I need guidance on how to set up the rule sets on the firewall to grant group A only access to their subnet of services (e.g. 192.168.1.0/24) and isolate OVPN traffic to enter the subnet of group B (e.g. 192.168.2.0/24)

      What I've learned so far from the docs:
      Processing order of FW rules is:

      1. "OpenVPN Tab" - delete rules like "allow any to any" as this would match any OVPN traffic of any OVPN service and then not process subordinate rules on the individual FW rules tab.
        In the docs it states "Rules on assigned interface tabs are processed after rules on the OpenVPN tab. To match the rules on an assigned VPN tab, the traffic must not match any rules on the OpenVPN tab. Remove any “Allow All” or “Block all” style rules from the OpenVPN tab and craft more specific rules instead."
        So what would these rules on the general OVPN tab look like, how do I go from here? How can differentiate traffic from OVPN service 1 from 2?
        Any help is greatly appreciated, thanks in advance!
      1 Reply Last reply Reply Quote 0
      • A
        AudioDave
        last edited by

        When you defined the OVPN, you specified an IP range to assign the incoming connection. By default, traffic OUT of those ranges is allowed and the traffic IN to the subnets/VLAN is BLOCKED. Simply go to each of the subnets and ALLOW traffic from the OVPN ranges appropriately.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.