[SOLVED] OpenVPN firewall rule issue
-
WAN net is not the internet. WAN net is the subnet on your WAN interface. For all of the internet use any.
You will want to block local networks/assets you do NOT want these users to have access to with rules above the pass any rule.
-
WAN net is not the internet. WAN net is the subnet on your WAN interface. For all of the internet use any.
You will want to block local networks/assets you do NOT want these users to have access to with rules above the pass any rule.
So I am not able to purely specify to pass traffic for those users to only the internet? I have to allow them access to everything then go through and manually create rules to block access to everything else on the network? That seems a bit bizarre, why can't I just grant them pass access to the internet?
-
Think about it. What are the destination addresses on the internet?
Yes, maintaining a firewall can be work.
-
Think about it. What are the destination addresses on the internet?
Yes, maintaining a firewall can be work.
I understand that, I obviously can't list every address on the internet. But isn't there a means to permit the VPN clients to purely access through the WAN interface to the internet?
-
No.
You can usually make an RFC1918 alias and make one rule for that and one for this firewall and catch about everything.
-
No.
Thanks for clarifying it. Can you explain why as I don't understand the technical reason for not being able to permit all traffic outbound on a specific interace regardless of the destination address?
-
Because it doesn't work that way. I suppose if you policy-routed that rule out WAN it might be the equivalent. I'd still want the block rules for other local assets. Someone who knows the internals better than I do would have to speak as to whether simply policy-routing out WAN would be enough.
You would absolutely want to uncheck System > Advanced > Miscellaneous tab Skip rules when gateway is down if you are going to rely on policy routing as a security measure. I would advise against it.
-
Because it doesn't work that way. I suppose if you policy-routed that rule out WAN it might be the equivalent. I'd still want the block rules for other local assets. Someone who knows the internals better than I do would have to speak as to whether simply policy-routing out WAN would be enough.
You would absolutely want to uncheck System > Advanced > Miscellaneous tab Skip rules when gateway is down if you are going to rely on policy routing as a security measure. I would advise against it.
Thank you for answering, I appreciate it. As you have likely worked out, I am relatively new to this and trying to improve my knowledge and ability.
For my purpose i.e. wanting a group of VPN users to have access to one particular device on my network and internet access, but no access to anything else, would it be effective and efficient to use some form of subnet/VLAN to segregate all of the secure devices onto one to which they have no access while the one device and the WAN interface access sits on another to which they do have access?
-
It doesn't matter where the WAN is. If you have all the things you want to protect on one network then you can block the access to everything with one rule.
But if you have one asset on, say, LAN that you want them to be able to access, just pass access to that one thing then block LAN net then pass any.
1. Pass specific local assets you want them to access (specific host on LAN)
2. Block more general things you don't want them to access (LAN net, This firewall)
3. Pass everything else (the internet) -
It doesn't matter where the WAN is. If you have all the things you want to protect on one network then you can block the access to everything with one rule.
But if you have one asset on, say, LAN that you want them to be able to access, just pass access to that one thing then block LAN net then pass any.
1. Pass specific local assets you want them to access (specific host on LAN)
2. Block more general things you don't want them to access (LAN net, This firewall)
3. Pass everything else (the internet)Thank you so much, that has worked perfectly. That is what I was trying to achieve, I had just wrongly assumed that I would be able to purely open access to just the one local asset and the outbound WAN. I understand now, time to go find something else to break!