pfSense Firewall Rules

19Giugno · Feb 28, 2019, 4:02 PM

It wasn't. I added it, but still doesn't work when connected to the VPN.

KOM · Feb 28, 2019, 4:35 PM

Hold on a sec. Your VPN users are already inside your network, therefore they should not be using the NAT in the first place. Add a host override to your DNS config so that it resolves your web server's hostname to its LAN IP address. Then they should just be able to connect without issue.

19Giugno · Feb 28, 2019, 4:53 PM

Kom, this is what I added to the DNS Resolver:

Host Overrides
bo-temp xxxx.com 192.168.22.3 DNS

Still not working. If I ping 192.168.22.3 from my machine connected to the VPN, I get a response. If I ping bo-temp.xxxx.com it resolves with the network public IP address.

KOM · Mar 1, 2019, 9:07 AM

This should be easy. You should be able to access your internal web server via the VPN without any magic. Let's start simple: Can you access it via its LAN IP address? eg http://192.168.22.3/?

Grimson · Mar 1, 2019, 9:12 AM

@19giugno said in pfSense Firewall Rules:

Still not working. If I ping 192.168.22.3 from my machine connected to the VPN, I get a response. If I ping bo-temp.xxxx.com it resolves with the network public IP address.

So what DNS is your machine using? For the DNS overrides to work it obviously has to use the DNS resolver/forwarder from the pfSense instance where the override is configured.

19Giugno · Mar 1, 2019, 9:07 AM

@kom said in pfSense Firewall Rules:

http://192.168.22.3/?

Yes I can.

19Giugno · Mar 1, 2019, 9:12 AM

@grimson said in pfSense Firewall Rules:

@19giugno said in pfSense Firewall Rules:

Still not working. If I ping 192.168.22.3 from my machine connected to the VPN, I get a response. If I ping bo-temp.xxxx.com it resolves with the network public IP address.

So what DNS is your machine using? For the DNS overrides to work it obviously has to use the DNS resolver/forwarder from the pfSense instance where the override is configured.

Hi Grimson,
I am using assigned DNS (Obtain DNS server address automatically). I am not sure how to check if I am using the DNS resolver/forwarder? And how I can be sure to use it?

KOM · Mar 1, 2019, 2:25 PM

OK so your problem is DNS-related. Status - Services will tell you if you're using Forwarder (dnsmasq) or Resolver (unbound). Or you could go to Services - DNS Forwarder and see if it's enabled, likewise for Services - DNS Resolver.

It looks to me like you don't have your OpenVPN config quite right. In your config under Advanced Client Settings, are you pushing pfSense DNS to your VPN clients?

19Giugno · Mar 1, 2019, 3:11 PM

Hi KOM,
DNS Resolver is enabled, DNS Forwarder is not.

In OperVPN, Advanced Client Settings there is nothing enabled.

Thanks.

KOM · Mar 1, 2019, 4:04 PM

So then try checking the DNS Server Enable box and then add your pfSense LAN IP address as DNS Server 1.

19Giugno · Mar 1, 2019, 4:18 PM

@19giugno said in pfSense Firewall Rules:

Hi KOM,
DNS Resolver is enabled, DNS Forwarder is not.

In OperVPN, Advanced Client Settings there is nothing enabled.

Thanks.

Yes! That worked! It works now. Thank you so much!

I got another question now, if the answer is yes I will open a new thread: is it possible to have whitelist specific for websites? I mean, on the web server I have website A and website B. Can I define an alias to access only website A and another one website B?

KOM · Mar 1, 2019, 6:07 PM

Of course. You can specify the Source for any NAT you create. Create an alias for your whitelist and then use it as the Source in your NAT rule.

19Giugno · Mar 2, 2019, 8:02 AM

Thanks KOM for your help and your patience.