VPN Traffic Blocking
-
I have a pfsense box set up as a firewall, and then I have a pfsense box set up as an OpenVPN server. The VPN is primarily set up for remote voip phones. We use aastra phones that use xml features (requiring http traffic)
Here's my problem:
SIP, RTP, and ICMP packets pass just fine in both directions.
HTTP is allowed coming FROM the VPN network
HTTP is blocked going TO the VPN network
(there are some other ports blocked, but 80 is the main one that gives us problem)I have turned off states on both inbound and outbound VPN traffic (this is because setting up a call with sip generates repeat packets which the firewall blocks and then the call won't complete)
Any thoughts?
Home network: 10.51.1.0/24
Remote network: 10.51.2.0/26
Phone Server: 10.51.1.75
-
There are a few things I see here which may be the cause of the issue. One of them is that you have a LanNet address sitting in the 10.51.1.0/24 range and the destination you have defined in your rules (subnetted '/18') will include your home range as well (10.51.0.0/18 = 10.51.0.1 up to 10.51.63.254). NAT-wise, this could cause potential routing problems.
Secondly, the fourth and fifth rules down have exclamation marks before the destination addresses, meaning you've inverted the rules here, suggesting the firewall is allowing all traffic from your local LAN and phone server to anywhere EXCEPT the 10.51.0.0/18 range.
It may be that there are other issues at work here which might also be causing you problems, but these are the ones that spring to mind.
-
I'll give my logic on those rules. Maybe I've gone about it all wrong.
1. Default anti-lockout
2. ALLOW Anything coming from 10.51.1.0/24 that is going to any of our VPN nets (10.51.2 - 10.51.5 currently, but expectation of more thus the 10.51.0.0/18), use normal routing (check routing table on pfsense box), and do not keep state.
3. Basically the same as 2, but reversed (VPN -> local net), and also use a queue
4. ALLOW Any traffic coming from the phone server THAT IS NOT destined for a VPN net, don't use routing table (just send it out WAN1), use a queue.
5. ALLOW Any traffic coming from the local net THAT IS NOT destined for a VPN net, don't use routing table (just send it out WAN1).
6. (turned off, but redundant)
7. ALLOW the actual VPN net (the openvpn net)