Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Can I use pfblocker to block all incoming traffic, but still use a VPN?

    Firewalling
    3
    7
    2.9k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      relink2013
      last edited by

      Hello everyone, fairly new to pfsense and Im working on a setup for my company. I like the idea of being able to block all incoming connections as there is no need for anyone to be able to connect to our servers remotely, except a small (4) group of people who need to be able to use Splash-top, ftp, webdav, and connect to our 3CX phone system. If I set pfblocker to block all incoming connections, will a VPN still function to get around the blocks? this way the only people who can connect are the few people with the VPN access?

      1 Reply Last reply Reply Quote 0
      • J
        justin.j
        last edited by

        Will you be using pfSense as your VPN server or an existing server on your network?

        1 Reply Last reply Reply Quote 0
        • R
          relink2013
          last edited by

          I will more than likely be using pfsense for the VPN.

          1 Reply Last reply Reply Quote 0
          • V
            viragomann
            last edited by

            pfBlocker just adds firewall rules to the configured interface(s). Firewall rules are deployed as they are shown from the top to the bottom. If a rule matches, the followings are ignored.
            To access your VPN server add a rule to allow this traffic above the blocking rules. It does not matter here if pfSense is your VPN server or another host behind it.

            1 Reply Last reply Reply Quote 0
            • J
              justin.j
              last edited by

              @viragomann:

              pfBlocker just adds firewall rules to the configured interface(s). Firewall rules are deployed as they are shown from the top to the bottom. If a rule matches, the followings are ignored.
              To access your VPN server add a rule to allow this traffic above the blocking rules. It does not matter here if pfSense is your VPN server or another host behind it.

              It matters because if you're using an internal, non-pfSense firewall he'd also need to port forward.

              1 Reply Last reply Reply Quote 0
              • R
                relink2013
                last edited by

                I guess what im going after is this; Could I close all ports on the router except the ones required for the VPN to function, and then just use the VPN to access our phone, surveilance, and file servers, that way. So this way essentially you must have VPN access to get to anything. To add to that question, I also wanted to know if I could block just about every ip address from being able to connect, unless you have VPN access.

                Hackers are getting nasty, and this is just an added layer of security. I remember logging attempted connections to my FTP server at home, and found that at least 1 person a day would attempt to get in.

                1 Reply Last reply Reply Quote 0
                • V
                  viragomann
                  last edited by

                  @justin.j:

                  It matters because if you're using an internal, non-pfSense firewall he'd also need to port forward.

                  That doesn't matter for the position of an appropriate firewall rule. Port forwarding is basically if you want to access another host behind pfSense, expect the firewall is in bridge mode.

                  @relink2013:

                  Hello everyone, fairly new to pfsense and Im working on a setup for my company. I like the idea of being able to block all incoming connections as there is no need for anyone to be able to connect to our servers remotely, except a small (4) group of people who need to be able to use Splash-top, ftp, webdav, and connect to our 3CX phone system. If I set pfblocker to block all incoming connections, will a VPN still function to get around the blocks? this way the only people who can connect are the few people with the VPN access?

                  pfSense block any incoming connection by default. So if you just open the ports for VPN only in firewall rules you get what you want.
                  You just have to care in addition that the return packets of the VPN traffic are routed over VPN connection also.

                  If you want you can also block any outgoing traffic except the VPN or what else you need by adapting the LAN interface rule.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.