Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSEC/OpenVPN disregards firewall rules

    Scheduled Pinned Locked Moved Firewalling
    3 Posts 2 Posters 181 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F Offline
      Flurkmark
      last edited by

      Hi all. I am missing something here. I'm not shall we say well versed with pfsense since I set something up and it just works. No need to fiddle.

      I have a couple of ipsec tunnels to other sites and openvpn for laptops plus a raspberry on a gsm stick in my summer house. All working just fine.

      I logged into my 'summer house' today and figuring it was unnecessary to give it full access to my network due to it having a known vulnerability in its USB modem that I can't fix, I decided to block all but mqtt into my network.

      Here is what I seem to misunderstand and need help:

      I can't block traffic from openvpn. My only rule in 'firewall/openvpn' is block all. Still I can ping remote. I blocked all from openvpn virtual network to lan, can still log in. I remember the first VPN I set up many years ago I did the opposite, could not get it to work because I missed the firewall/ipsec rule.

      I also tried to block all my ipsec tunnels, but I can still get traffic through.

      What am i misunderstanding?
      pfsense 2.4.4-RELEASE-p3 (amd64)

      Thanks in advance.
      //Peter

      1 Reply Last reply Reply Quote 0
      • DerelictD Offline
        Derelict LAYER 8 Netgate
        last edited by

        The rules on OpenVPN block connections into your firewall, not out of it.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • F Offline
          Flurkmark
          last edited by

          Oh, doh, right. When I ping the vpn client the traffic is allowed by my LAN rule and not subject to that ruleset, return traffic I assume is allowed because there is a state established. I see now that the remotes can not initiate traffic if I place rules in 'openvpn'. Thanks.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.