Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    General VPN traffic

    Scheduled Pinned Locked Moved General pfSense Questions
    6 Posts 3 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C Offline
      cal2600
      last edited by

      We have users that need to get vpn traffic out for work. Since I don't know what or who they are connecting to is there a way to pass generic VPN traffic in and out of pfsense. They connect through an access point on the LAN interface of pfsense.

      Thanks again

      We have a LAN interface and a WAN interface
      DHCP on LAN static IP on WAN, The AP (172.16.50.253) gets addresses from the LAN DHCP pool 172.16.50. - 50.200. We have. Allow any tcp/udp ports 53, 80, 443 to any on the LAN interface. We also have a VPN ports alas group with TCP ports 1723, UDP ports 50, 500 1701 and 4500 on the LAN interface with allow from LAN net to any from VPN alias group to any. The WAN interface has the stock rules. This is a separated network outside of our production network for guest access

      1 Reply Last reply Reply Quote 0
      • DerelictD Offline
        Derelict LAYER 8 Netgate
        last edited by

        Need way more info to hazard so much as a guess.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • awebsterA Offline
          awebster
          last edited by

          Please post screenshots of rules / NAT.
          Is the WAN IP a public IP?

          UDP 500, 4500 should work for most VPNs provided they support NAT-T.  If not you might also need to enable protocol ESP.

          –A.

          1 Reply Last reply Reply Quote 0
          • DerelictD Offline
            Derelict LAYER 8 Netgate
            last edited by

            Why lock down guest access so hard? Just askin'.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • C Offline
              cal2600
              last edited by

              I have a meeting about that tomorrow morning, I think they are just going to let me send it all out. If that is the case would I remove everything and put in the pass from any to any rule on the lan interface.?

              1 Reply Last reply Reply Quote 0
              • DerelictD Offline
                Derelict LAYER 8 Netgate
                last edited by

                Pass access to the local assets they need if any (DNS, etc)
                Reject access to the local assets you want to protect (other local networks, this firewall)
                Pass everything else (the internet)

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.