RC1 blocks all openvpn traffic

paulpach · Jun 26, 2006, 3:18 PM

Hi, we just updated pfsense in our router to RC1, now the firewall blocks everything from TUN0. The openvpn connection is established with no problems, but if I try to ping or ssh into one of the machines behind the firewall, it blocks it.

I know it is the firewall because I am looking at the firewall log in the webui, and I can see all my traffic being blocked.

If I try to add a rule to the firewall (web ui) to let stuff from openvpn through, there is no option for it, only "wan, lan, pptp and pppoe".

Please help, how do I tell the firewall not to block openvpn?

sullrich · Jun 26, 2006, 3:41 PM

From a shell run:

cvs_sync.sh releng_1

ecce · Jun 28, 2006, 8:36 PM

Hi,

I've had exactly the opposite problem.

I have RC1a installed on my box and was used to create firewall rules for OpenVPN on tunX interfaces.
So I just restored the backup XML file from the BETA4 release and everything - except OpenVPN - was configured as before.
OK, so I reconfigured OpenVPN as a server, found tun0 in "Assign interfaces", assigned it its previous name (TUN0) and voilà my firewall rules for TUN0 were there again.

The only problem was that the rules didn't work - I had a "Block outbound netbios traffic" rule.
After some searching I found the following passage in filter.inc which I had to comment out in order to get my rules working:


	update_filter_reload_status("Setting up tun interfaces (openvpn)");
	/* openvpn tun interfaces.  check for 100\. */
	for($x=0; $x<100; $x++) {
		if(does_interface_exist("tun{$x}") == true) { 
			$rule .="pass out quick on tun{$x} all keep state label \"let out anything from firewall host itself openvpn\"\n";
			$rule .="pass in quick on tun{$x} all keep state label \"let out anything from firewall host itself openvpn\"\n";
		}
	}

	return $rule;

I would suggest to insert something like a "Check this to allow all OpenVPN traffic" on the OpenVPN configuration page which is enabled by default and just toggles the above code on or off so users wanting more control could just get it.

Regards,
Marc

ecce · Jun 28, 2006, 9:23 PM

:o
Oops! Found a very dramatic error in my previous post!

You will have to leave the```
return $rule;


Murphy's calling me… ;D

Marc

Always · Jul 14, 2006, 8:54 AM

@sullrich:

From a shell run:

cvs_sync.sh releng_1

Is it possible to make an up to date CF image for embedded systems with the latest Releng1 code?

Thanks

hoba · Jul 14, 2006, 9:07 AM

http://pfsense.com/~sullrich/RELENG_1_SNAPSHOT-07-12-2006/

Always · Jul 14, 2006, 10:18 AM

Many thanks.