• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

RC1 blocks all openvpn traffic

Scheduled Pinned Locked Moved Firewalling
7 Posts 5 Posters 3.4k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • P
    paulpach
    last edited by Jun 26, 2006, 3:18 PM

    Hi, we just updated pfsense in our router to RC1, now the firewall blocks everything from TUN0. The openvpn connection is established with no problems, but if I try to ping or ssh into one of the machines behind the firewall, it blocks it.

    I know it is the firewall because I am looking at the firewall log in the webui, and I can see all my traffic being blocked.

    If I try to add a rule to the firewall (web ui) to let stuff from openvpn through, there is no option for it, only "wan, lan, pptp and pppoe".

    Please help, how do I tell the firewall not to block openvpn?

    1 Reply Last reply Reply Quote 0
    • S
      sullrich
      last edited by Jun 26, 2006, 3:41 PM

      From a shell run:

      cvs_sync.sh releng_1

      1 Reply Last reply Reply Quote 0
      • E
        ecce
        last edited by Jun 28, 2006, 8:36 PM

        Hi,

        I've had exactly the opposite problem.

        I have RC1a installed on my box and was used to create firewall rules for OpenVPN on tunX interfaces.
        So I just restored the backup XML file from the BETA4 release and everything - except OpenVPN - was configured as before.
        OK, so I reconfigured OpenVPN as a server, found tun0 in "Assign interfaces", assigned it its previous name (TUN0) and voilà my firewall rules for TUN0 were there again.

        The only problem was that the rules didn't work - I had a "Block outbound netbios traffic" rule.
        After some searching I found the following passage in filter.inc which I had to comment out in order to get my rules working:

        
        	update_filter_reload_status("Setting up tun interfaces (openvpn)");
        	/* openvpn tun interfaces.  check for 100\. */
        	for($x=0; $x<100; $x++) {
        		if(does_interface_exist("tun{$x}") == true) { 
        			$rule .="pass out quick on tun{$x} all keep state label \"let out anything from firewall host itself openvpn\"\n";
        			$rule .="pass in quick on tun{$x} all keep state label \"let out anything from firewall host itself openvpn\"\n";
        		}
        	}
        
        	return $rule;
        
        

        I would suggest to insert something like a "Check this to allow all OpenVPN traffic" on the OpenVPN configuration page which is enabled by default and just toggles the above code on or off so users wanting more control could just get it.

        Regards,
        Marc

        ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
                                      murphy's rule: "there is always one error left."
        ~~(¸¸ ¸¸ºº> ___________________________________________________.·'´¯)~
        ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

        1 Reply Last reply Reply Quote 0
        • E
          ecce
          last edited by Jun 28, 2006, 9:23 PM

          :o
          Oops! Found a very dramatic error in my previous post!

          You will have to leave the```
          return $rule;

          
          Murphy's calling me… ;D
          
          Marc

          ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
                                        murphy's rule: "there is always one error left."
          ~~(¸¸ ¸¸ºº> ___________________________________________________.·'´¯)~
          ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

          1 Reply Last reply Reply Quote 0
          • A
            Always
            last edited by Jul 14, 2006, 8:54 AM

            @sullrich:

            From a shell run:

            cvs_sync.sh releng_1

            Is it possible to make an up to date CF image for embedded systems with the latest Releng1 code?

            Thanks

            1 Reply Last reply Reply Quote 0
            • H
              hoba
              last edited by Jul 14, 2006, 9:07 AM

              http://pfsense.com/~sullrich/RELENG_1_SNAPSHOT-07-12-2006/

              1 Reply Last reply Reply Quote 0
              • A
                Always
                last edited by Jul 14, 2006, 10:18 AM

                Many thanks.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                  This community forum collects and processes your personal information.
                  consent.not_received