Using Open VPN service on XG-7100, prevent LAN clients connecting
-
Here's some info that may help:
The interface settings screen will differ based on the type of interface being dealt with. In pfSense
software, the real distinction between “WAN”, “LAN” and “OPT” interfaces is blurred as they are all capable of handling any role. For historical and ease-of-use purposes, the first two interfaces are WAN and LAN. Additional interfaces start at OPT1 and are numbered from there (OPT2, OPT3, … OPTn)
As soon as you have installed pfSense, you have WAN and LAN interfaces, which are understood to have different roles. The LAN role is to pass everything to the WAN, unless specifically blocked. The WAN role is to block everything, unless specifically enabled.
Try creating a couple of OPT interfaces to get a better idea of how rules are applied.
-
@shapelytraffic said in Using Open VPN service on XG-7100, prevent LAN clients connecting:
@Derelict what are you representing with "guest" network?
The subnet of the GUEST interface. I have no idea what it was when I took that screen shot but if the GUEST interface is numbered like this:
192.168.123.1 /24
GUEST Address: 192.168.123.1/32
GUEST Network: 192.168.123.0/24 -
@JKnott This is a production unit so I don't have the luxury of experimenting.
-
So spin up a VM to experiment on. It doesn't cost anything.
-
@Derelict so, if I understand you correctly, you're saying to block private addresses on the WAN rule set to the WAN IP?
-
No. Look at the rule set I posted. The rules go on the interface the connection comes INTO the firewall on. GUEST in that example.
https://docs.netgate.com/pfsense/en/latest/book/firewall/index.html
-
@Derelict so, for each internal interface, I need to implement these rules?
-
If that is the desired effect to implement your policy, yes.
-
@shapelytraffic said in Using Open VPN service on XG-7100, prevent LAN clients connecting:
@Derelict so, if I understand you correctly, you're saying to block private addresses on the WAN rule set to the WAN IP?
One very important thing to remember is that the rules are applied to the interface, not the address. So, you have to put the rule on the interface that the packets will pass through. If you try to reach the WAN address from the LAN, the packets will pass through the LAN interface, but not the WAN interface, so the rules go on the LAN interface.
-
@Derelict I'm not certain we agree specifically what my desired effect is though. I would feel much more confident in your assistance if you would express to me what you think I'm trying to do, because in my mind it's not at all unusual. But your phrasing sounds skeptical.
-
You do not want inside hosts to be able to connect to your OpenVPN server on the WAN address.
So you need to block those connections on the inside interfaces.
I'm pretty much done here. Can only say the same thing so many times. There is a book.
-
@Derelict good on ya mate. How can I be as good as you.
-
@shapelytraffic said in Using Open VPN service on XG-7100, prevent LAN clients connecting:
@Derelict I'm not certain we agree specifically what my desired effect is though. I would feel much more confident in your assistance if you would express to me what you think I'm trying to do, because in my mind it's not at all unusual. But your phrasing sounds skeptical.
You want to keep LAN users from using the VPN. So, all you have to do is block them with a rule on the LAN interface. Also, even if they did connect it, the VPN still won't be used, because there is a direct connection that bypasses the it and that connection will always be used.
You may need to brush up on how IP works. When you try to connect to something, the computer compares the destination address with the local network address and subnet mask. If the destination is on the same network, then the packet is sent directly to the destination. Any other destination requires routing and you can't route to your own network, as you'd be doing if you passed through the VPN.
-
@JKnott thanks for taking the time to condescend. No thanks.
-
I wasn't trying to be condescending. You seemed to be having a problem understanding how it works.
-
@JKnott you must have worked with any other kind of firewall that provides a VPN client (ex: SonicWall). In my experience, you don't have to roll your sleeves up to prevent LAN traffic from initiating the VPN. - you can't go in through the out door.
What I'm not understanding is why there isn't a prefab to do this?
-
I mean, if you go back to the first comments, it's clear that there was a misunderstanding. One which was not admitted to.
-
Is that SonicWall just a firewall? Or firewall/router? Entirely different devices. The purpose of a router is to route packets from one network to another. PfSense does that, but also has filtering so that it can be used as a firewall. Since the LAN and WAN are different networks, pfSense routes the packets. It makes no difference what the address is, if it's on the WAN interface, it gets routed in that direction, just as would a packet for the ISPs gateway. Then there's the added factor in that the WAN address is one of at least two valid addresses for the pfSense box. You're asking for something extra to block that VPN connection and that is a rule on the LAN interface. Also, think of other things that you might want to do. For example, in testing, you may want to use a specific interface, to ensure routing is working. So, from the LAN, you could ping the WAN address to verify it works. Or you could tell it to ping from a specific interface out onto the LAN. If you ping from the WAN, the replies have to be able to come back. Again, you have to configure what you want with the rules. That's what they're there for.
-
This post is deleted! -
There is usually no reason to block clients connecting a VPN from an internal interface. If that have access to the VPN then it's not a security issue anyway. At worst it might cause routing issues for clients who accidentally connect to the VPN when they are on the internal subnet.
If you don't want to ever happen for some reason you can make a floating reject rule with destination WAN address and port the VPN port and apply that to all the interfaces you want it on.Steve
