Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Restrict access while maintaining OpenVPN connectivity

    Scheduled Pinned Locked Moved OpenVPN
    3 Posts 2 Posters 441 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C Offline
      cfarinella
      last edited by

      Netgate SG-1000, all updates applied.

      I am required to limit outbound access from my LAN which I access via OpenVPN. When I disable 'Default allow LAN to any rule' in the firewall, I lose the ability to login to the LAN via SSH. I can ping the IP addresses, but not login.

      I have attempted to allow TCP access incoming on port 22, UDP access incoming on port 1194. What do I need to do that will allow me to shutdown the 'Default alllow LAN to any' and maintain my ability to ssh into the LAN via OpenVPN?

      1 Reply Last reply Reply Quote 0
      • bepoB Offline
        bepo
        last edited by

        What is your LAN Network? what is your OpenVPN Network?

        To access resources in your LAN network from outside (connected via OpenVPN) you should create firewall rules on OpenVPN Tab. Please provide more information about your network/vpn design.

        Rules on LAN interface Tab are used for LAN devices to access other networks. On pfSense you create rules on the interface the traffic is incoming.

        Please use the thumbs up button if you received a helpful advice. Thank you!

        1 Reply Last reply Reply Quote 0
        • C Offline
          cfarinella
          last edited by

          Sorry for the delayed response, I've been away.

          We have a LAN behind a Netgate SG-1000. We access this LAN remotely via OpenVPN which has been set up using the OpenVPN wizard. I believe this is a pretty simple, straight forward implementation.

          The OpenVPN interface has no restrictions placed on it, there are no firewall rules other than the default open to all.
          The LAN interface has the following firewall rules:
          IPv4 Default allow LAN to any rule
          IPv6 Default allow LAN to any rule
          allow Ping

          I am required by PCI to restrict the LAN access to only select IP addresses. As soon as I disable IPv4 allow LAN to any, I am unable to ssh into the LAN via OpenVPN. I can ping the LAN IP, and if I am already connected I do not lose my connection.

          Any guidance is appreciated.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.