Prevent some LAN devices from being accessable over L2TP/IPsec
-
There's no way you need that floating rule - especially since it's direction out. Get rid of it and put a Pass IPv4 any source any dest any rule on L2TP VPN.
You need to make sure:
The L2TP VPN tab contans rules that dictate what you want your L2TP clients to have access to. Since you want them to access the internet over the tunnel, that means block what you don't want them to access and pass everything else.
There is proper outbound NAT on WAN for the L2TP tunnel network.
https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting
-
Thank you for your help in this matter …
I have done that and turned of the Floating rule... and I made sure the NAT has the rules in place... I also did the PASS any rule on the L2TP tab. for now I am not blocking anything in that TAB until I get the Internet to work again... Once the floating rule was turned of so did the Internet turn off for the Remote Client. (I do reset the states after each change)
on NAT I have Hybrid selected to manually and Automatically create rules. No luck -
I put this on my test system last night and I am not convinced there's not something funky going on. Did you set it up like this?
https://doc.pfsense.org/index.php/L2TP/IPsec
-
yes that is what I used … and that is where I was told if traffic is blocked to use the floating rule.
-
That's exactly what I am seeing and was going to post about it. Guess it's a known issue. This L2TP/IPsec is brand new in 2.2 I think. I don't think it was feasible with raccoon.
I'll add the floating rule tonight and see. But, in a nutshell, your IPsec rules need to pass L2TP (UDP 1701), your L2TP VPN needs to pass traffic that you want clients to access (or in your case, block what you don't want them to access and pass everything else. And, I guess, there needs to be a floating rule passing return traffic back out to L2TP clients.
-
thank you very much … i thought I am going to loose my last few hair that I have left. good to know its not just me seeing having a problem there
-
thank you very much … i thought I am going to loose my last few hair that I have left. good to know its not just me seeing having a problem there
any news yet ? I can not block lan access unless I turn of the floating rule. and if I do so I lose also internet access.
-
Sorry. I haven't revisited it. It says right there in the wiki that a floating pass rule on L2TP VPN interface might be necessary.
-
Thank you and yes that is certainly no problem at all. The problem is that after doing so I no longer have the ability to block access to certain LAN devices.
Once the floating rule is in place … you can browse and you can access the entire network. In general that is a good idea... but I need to be able to block some machines from being accessible through the VPN connection. -
Once the floating rule is in place … you can browse and you can access the entire network. In general that is a good idea... but I need to be able to block some machines from being accessible through the VPN connection.
Looking at the wiki, that rule is direction Out. Not really sure how's that affecting you.
-
neither do i .. I just know I can no longer block access to the lan
-
Did you configure this as direction Out and not any? Plus, what's preventing you from using the Source/Destination to restrict this to what you want only?
-
I used out only but when I used ports 53, 80, 443 to allow browsing only on the floating rule it does not work (see sample)
the floating rule only allows internet when any is selected …(see below)
-
And why are those other rules floating? Leave the wiki one as floating direction out and put the rest where it belongs to restrict traffic. I really don't understand how we all of a sudden got to the "to allow browsing only ". You stated the goal is to "prevent some LAN devices from being accessable over L2TP/IPsec". This is the exact opposite direction.
-
my goal is to allow people to browse through the vpn ..but not access the lan network… but to allow browsing I need to turn on the floating rule (TCP any out)
when that is done... I can no longer prevent them from accessing the lan also.... the rules in the l2tp vpn tab no longer works
-
the rules in the l2tp vpn tab no longer works
Yeah, those will never work… since, this tab is completely WRONG side of the tunnel. You need to move to the other firewall on the other end to block access to LAN. Or really dunno what "LAN network" are you talking about. Perhaps draw some diagram what are you trying to block where.
-
i have no other firewall in place only the pfsense unit. I only have VPN connections coming in… and there is no firewall that I know off...
-
i have no other firewall in place only the pfsense unit. I only have VPN connections coming in… and there is no firewall that I know off...
Sorry, but floating rule with direction OUT will never apply to inbound traffic to the selected interface. You are doing this upside down. You cannot take the wiki rule as is and start restricting ports/IPs accessible on your LAN.
-
Read the language in the documentation again:
Firewall traffic blocked outbound
If the firewall logs show traffic blocked "out" on L2TP, then add a floating firewall rule to work around the block:
Navigate to Firewall > Rules, Floating tab
Click "+" to add a new rule
Set 'Action to Pass
Check Quick
Select L2TP VPN for the Interface
Set Direction to Out
Set Protocol to TCP
Set Source/Destination as needed, or set to any
Advanced Features:
Set TCP Flags to Any flags
Set State Type to Sloppy StateYou should then control what your L2TP VPN clients can connect to with rules on your L2TP VPN tab. if you only want them to get at TCP/UDP 53, TCP/80, and TCP/443 put those pass rules there. Everything else will be blocked as it enters the firewall from the clients. Except that it doesn't work.
I just tested it. The floating rule is exactly as described above. Direction OUT on L2TP VPN verified. It appears the rules on the L2TP VPN tab are ignored. Yes, I cleared states.
I can still SSH to 172.26.0.100 and the source address is the VPN client address 172.29.7.128.
-
Yeah, of course they will get ignored when you tick the "Quick" checkbox on the floating rule.
