Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OVPN client to pfSense: I want only internet access?

    OpenVPN
    4
    8
    2.4k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      Mr. Jingles
      last edited by

      Hello :D

      What kind of firewall rules would I need to achieve that, when I am abroad and connect via 4G to my pfSense, I can only use my pfSense to access the internet?

      I don't want to be able to connect to local LANs or VLANs: only use my pfSense to have a trusted gateway instead of mobile operator or public WIFI.

      Thank you for any help  :P

      Bye  :)

      6 and a half billion people know that they are stupid, agressive, lower life forms.

      1 Reply Last reply Reply Quote 0
      • M
        Mr. Jingles
        last edited by

        Edit, I think I can do it with a 'not' rule I now realize, but:

        A. Do I need to add that as a firewall rule, or a firewall/openvpn rule?
        B. How can you be assured the 'not' rule always contains all the LANs and VLANs, also when you add one or more later**?** (in our ERP systems we can arrange solutions like that easily, but I don't know how to do it in pfSense?).

        6 and a half billion people know that they are stupid, agressive, lower life forms.

        1 Reply Last reply Reply Quote 0
        • M
          marvosa
          last edited by

          So, you want all of your VPN traffic routed down the tunnel and you don't want to be able to access your LAN?  That's pretty straight forward:

          • Enable the "Redirect Gateway" option in your config.

          • Leave the "IPv4 Local network(s)" empty

          • As a secondary measure, you can add block rules on your LAN interfaces for traffic sourced from the tunnel network configured on your Remote Access Server

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            "Not" rules should not be used to block traffic.

            Block the local networks as destinations on the OpenVPN rules then pass any.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • M
              Mr. Jingles
              last edited by

              Thank you both for your replies  :)

              Derelict, per your previous reply to me: this time in this thread I do realize I gave too little information, sorry  :'(

              My situation is twofold:
              1. I have road warriors: these should not be able to access LAN and VLAN: internet only'
              2. There is also site to site (S2S), Synologies that need to sync to remote sites.

              I've been trying to set this up in Firewall/Rules/OpenVPN, but many things apparently were wrong, because both road warrior tunnel and S2S tunnel stopped working.

              For road warrior, I added:
              A top block rule: SRC 192.168.100.0/24 (= tunnel network), DEST ALIAS_LOCAL_LANS.
              A pass rule: SRC 192.168.100.0/24 (= tunnel network), DEST any.

              The server refused to start. So I next added the normal smartphone VLAN: 192.168.7.0/24 as a SRC. Server didn't want to start either.

              Now for the extra special thing:

              The S2S server also didn't want to start, complaining about 192.168.100.2, which is an IP for the road warrior, not for the tunnel.

              So I deleted all rules and put in the ALL ALL ALL rule.

              The ' funny'  thing was: apparently OpenVPN choked on it, because in Status/Services I could not restart the service (the little green icon kept on turning around), and I also couldn't stop the service (the stop icon kept on turning too, together with the restart icon that also kept on turning). So I had to reboot the box.

              How could I fix my OpenVPN firewall rules for both road warrior and S2S? And do I need FW rules on the S2S client too, or only on the server?

              Ideally, btw, I wouldn't want a block rule with the full 192.168.100.0/24 network in it; I would want it to be like in my LANs, where all clients have static IP. The problem is: in OpenVPN I can not add static IP's for the smartphones.

              Would setting up OpenVPN as an interface solve this, or will I be causing more new problems then?

              Thank you for your help  :D

              Bye,

              6 and a half billion people know that they are stupid, agressive, lower life forms.

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                I would run a separate OpenVPN instance for the Road Warriors and another for the Site-to-Site.

                I would assign interfaces to both.

                I would remove all rules from the OpenVPN tab.

                Then put the rules governing traffic allowed from the synologies on that instance and the rules governing traffic from the road warriors on that one.

                They should both have separate tunnel networks so you could also just use that as the source address for the road warrior rules on the OpenVPN group tab without the assigned interfaces. Then use the tunnel network and the remote networks for the site-to-site in the same manner.

                At least a couple ways to accomplish the task. Sort of depends on what you want to do.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • DerelictD
                  Derelict LAYER 8 Netgate
                  last edited by

                  For road warrior, I added:
                  A top block rule: SRC 192.168.100.0/24 (= tunnel network), DEST ALIAS_LOCAL_LANS.
                  A pass rule: SRC 192.168.100.0/24 (= tunnel network), DEST any.

                  The server refused to start.

                  OpenVPN firewall rules have zero bearing on whether a server will start or not. Even the rule on WAN that passes traffic to the server itself (UDP/1194) will not prevent the server from starting - it just won't receive any connections.

                  I have noticed a trend that you tend to blame completely unrelated causes for the effects you are seeing. Maybe slow down a little, think things through, and read more documentation.

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  1 Reply Last reply Reply Quote 0
                  • ?
                    A Former User
                    last edited by

                    @Mr.:

                    The problem is: in OpenVPN I can not add static IP's for the smartphones.

                    You can set static IP's in OpenVPN using Client Specific Overrides, not necessary to create a specific pfSense interface for that.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.