OpenVpn auto-rules not wanted
-
Just setup OpenVpn server on v2.1RC2. "pfctl -s nat" reveals that OpenVpn server creates an automatic rule from any to Wan IP for every port in my WAN rules? Why is this necessary? Does it think I created a tunnel for every user on the network, even via every gateway?
All I need is access thru the Wan to the Lan subnet. I don't need it to provide access to every service running on the Lan subnet. Not that it should matter but Outbound Nat is set to manual rules.
How do I prevent OpenVpn from creating all these unnecessary rules?
-
System: Advanced: Firewall and NAT
Disable all Auto-added VPN rules.
{Profit}
-
Disabled all auto-added vpn rules but rules are still present. Reboot? Manual removal of auto-created rules necessary?
-
Which rule are you talking about?! This?
pass in quick on $OpenVPN from any to any keep state label "USER_RULE: OpenVPN [name] wizard"
Interfaces - Rules - OpenVPN. If you do not want it, then disable/delete the rule.
-
All the OpenVpn rules…
[2.1-RC2][admin@pfsense.router]/root(1): pfctl -s nat
no nat proto carp all
nat-anchor "natearly/" all
nat-anchor "natrules/" all
nat on igb0 inet all -> 71.93.28.166 port 1024:65535
no nat on igb1 inet proto tcp from (igb1) to 192.168.2.0/24
nat on igb1 inet proto tcp from 192.168.2.0/24 to <pfsense>port = ntp -> (igb1) round-robin
no nat on igb1 inet proto tcp from (igb1) to 192.168.2.0/24
no rdr proto carp all
rdr-anchor "relayd/" all
rdr-anchor "tftp-proxy/" all
rdr on openvpn inet proto tcp from any to 192.168.2.0/24 port = ntp -> <pfsense>round-robin
rdr on openvpn inet proto udp from any to 192.168.2.0/24 port = ntp -> <pfsense>round-robin
rdr on openvpn inet proto tcp from any to 71.93.28.166 port = https -> <company1>round-robin
rdr on openvpn inet proto tcp from any to 71.93.28.166 port = mdbs_daemon -> <company1>round-robin
rdr on openvpn inet proto tcp from any to 71.93.28.166 port = blackjack -> <company1>round-robin
rdr on openvpn inet proto tcp from any to 71.93.28.166 port = 2121 -> <company1>round-robin
rdr on openvpn inet proto tcp from any to 71.93.28.166 port = 6100 -> <company1>round-robin
rdr on openvpn inet proto tcp from any to 71.93.28.166 port = 8080 -> <company1>round-robin
rdr on openvpn inet proto tcp from any to 71.93.28.166 port = 9000 -> <company1>round-robin
rdr on openvpn inet proto udp from any to 71.93.28.166 port = https -> <company1>round-robin
rdr on openvpn inet proto udp from any to 71.93.28.166 port = mdbs_daemon -> <company1>round-robin
rdr on openvpn inet proto udp from any to 71.93.28.166 port = blackjack -> <company1>round-robin
rdr on openvpn inet proto udp from any to 71.93.28.166 port = 2121 -> <company1>round-robin
rdr on openvpn inet proto udp from any to 71.93.28.166 port = 6100 -> <company1>round-robin
rdr on openvpn inet proto udp from any to 71.93.28.166 port = 8080 -> <company1>round-robin
rdr on openvpn inet proto udp from any to 71.93.28.166 port = 9000 -> <company1>round-robin
rdr on openvpn inet proto tcp from any to 71.93.28.166 port = 6036 -> <company2>round-robin
rdr on openvpn inet proto tcp from any to 71.93.28.166 port = 8045 -> <company2>round-robin
rdr on openvpn inet proto udp from any to 71.93.28.166 port = 6036 -> <company2>round-robin
rdr on openvpn inet proto udp from any to 71.93.28.166 port = 8045 -> <company2>round-robin
rdr on openvpn inet proto tcp from any to 71.93.28.166 port = ftp -> <company3>round-robin
rdr on openvpn inet proto tcp from any to 71.93.28.166 port = 4000 -> <company4>round-robin
rdr on openvpn inet proto tcp from any to 71.93.28.166 port 5631:5634 -> <company5>round-robin
rdr on openvpn inet proto udp from any to 71.93.28.166 port 5631:5634 -> <company5>round-robin
rdr-anchor "miniupnpd" all</company5></company5></company4></company3></company2></company2></company2></company2></company1></company1></company1></company1></company1></company1></company1></company1></company1></company1></company1></company1></company1></company1></pfsense></pfsense></pfsense> -
I cannot see any such rules here… Obviously not enough information provided. Sounds like NAT rules with source = any, absolutely nothing wrong with that.
-
Dok, I'm talking about the rules listed in my earlier post with company1, 2, etc. All those company rules are Wan forward rules, yes with source any, generated by NAT. My OpenVpn rule has been "IP4v * * * * * none". Tried "IP4v * * Lan subnet * * none" but then I don't get out the WAN. Tried "IP4v * * * * WANGW none" but doesn't eliminate OpenVpn duplicating all the Wan forward rules.
What add'l info is needed?
-
I'm beginning to think the OpenVpn rules are auto-created as a "catch all" approach and are not user configurable, at least not through the WebConfigurator.