PFSense only for OpenVPN to Fileshare
-
I've followed this guide ( https://chrislazari.com/pfsense-setting-up-openvpn-on-pfsense-2-4/ ) to setup OpenVpn for workers to remotely access only a single fileshare on our internal network. My question is what other firewall rules will I need to add to the PFSense to ensure that it is secure. I know on my WAN interface I enter my public IP and I can do seperate firewall rules for OpenVPN. If i'm ONLY using PFSense for OpenVPN, do I need to add other firewall rules to the regular table or just the OpenVPN table? Any point in the right direction would help a lot as I'm new to PFSense.
-
Firewalls control access oto network resources. So if you allow smb access to the server holding the fileshare, then all available fileshares are theoretically accesible.
its the fileshare server job to allow more granular access.Aparf from that, since you are inside a vpn, I guess you have created a rule to allow traffic on openvpn interface. This ruleset can be narrowed down as you wish to limit access to internal network resources.
-
@netblues Okay, that makes more sense. My main question is would I need to do that configuration on the WAN Interface as well as the OpenVPN rule set under firewall? The WAN Interface just has the default rules made when setting up OpenVPN, but I've limited port access on the OpenVPN interface so clients can only do fileshare and basic office work like http/https.
-
wan interface deals with general Internet incoming traffic.
Vpn traffic bypasses this , and yes this is the correct way to do it. -
Okay, so I could block everything except for the default OpenVPN traffic on the WAN Rules and the VPN Clients can still get to files shares?
-
@CantConfigureaVPN Yes. By default nothing is enabled on the wan anyways.
-
@netblues Okay, final question. Do I need an outbound NAT rule for the VPN clients to get to LAN resources or is that automatic?
-
@CantConfigureaVPN In general you don't need any nat while on vpn.
As long as all devices have pf as their default gateway everything is hanled via routing.
The 4g modem, (and modems in general) either need static routes which is difficult or impossible to administer, or just the hack with nat above.
It is based on the principle that connected networks don't need any routing -
Got it, thanks for all the help!