Packet Flow OpenVPN
-
I'm a bit confused on pfSense packet flow.
Let's say I wanted to block/allow a packet from a workstation over an IPSEC tunnel. I could block it on the LAN interface as it enters or I could block it on the IPSEC interface as it enters (routed from LAN int). Is this correct? All packet filtering is ingress on the interface?
Obviously you want to block/allow as close to the source as possible but I just want to make sure I'm understanding it correct.
When pfSense is acting as an OpenVPN client however and an interface assigned you not have both a OpenVPN and OPT1/VPN interface that shows under Firewall Rules. Which do you use?
-
The IPsec tab block traffic as it enters from the remote side. You can't block traffic from your LAN on the IPsec interface, only on the LAN interface.
If you have your OpenVPN interface assigned, the interface rules on that tab take effect. Only the unassigned OpenVPN interfaces are governed by the rules on the OpenVPN tab.
These days most people don't need to have their OpenVPN interfaces assigned, however.
-
Thanks for the reply. That makes sense. I'm a little foggy though, if you don't assign your OpenVPN interface can you still assign another Gateway to use for PBR?
-
If you want to do PBR then they you do need to assign it so it gets a gateway. That kind of use still isn't all that common though, most VPNs are just routing normal subnets, not internet-bound traffic.
-
Makes sense. Unfortunately, I'm 98% sure something is broken in pfSense 2.0 Final in regards to this setup (OpenVPN client assigned to interface). I've been playing with it for days and something just isn't right.
-
I've been running with two interfaces assigned on 2.0 (As are many pfSense customers) since the BETA days without issues.
-
Take a look at the StrongVPN/OpenVPN guide last page. Seems a few people are having issues as of 2.0 Final.
Everything is correct. But for whatever reason the Gateway for the OpenVPN interface shows online, then goes offline after 5 seconds or so.