Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Firewall Rules for OpenVPN Tab versus Interface Rules

    Scheduled Pinned Locked Moved OpenVPN
    11 Posts 3 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V
      viragomann
      last edited by

      OpenVPN is an interface group including all OpenVPN instances you're running on pfSense, servers as well as clients.

      You need to add a specific interface to an OpenVPN instance for special functions and tasks which should not be applied to all OpenVPN instances or where the interface group doesn't fit.

      @powerextreme said in Firewall Rules for OpenVPN Tab versus Interface Rules:

      One thing I have noticed is that with my SNORT service

      Yes that's one. You also need specific interface for other services like DNS.

      Also it is necessary for policy routing rules to direct traffic to a VPN gateway.

      You also need to add an interface if you want to get benefit of the reply-to function in pfSense.

      1 Reply Last reply Reply Quote 0
      • P
        powerextreme
        last edited by

        Thanks for the response. Which takes precedence?

        A rule in the OpenVPN tab?
        A rule in an interface created for an OpenVPN instance?

        1 Reply Last reply Reply Quote 0
        • V
          viragomann
          last edited by

          Rule on an interface group have prio over these ones on interface tabs.

          So if you assign an interface to an OpenVPN instance and add rule to it, you have to care that rule on the OpenVPN tab are not applied to the same traffic or remove all rules from it.

          P 1 Reply Last reply Reply Quote 0
          • P
            powerextreme @viragomann
            last edited by

            @viragomann
            Thanks but I don't fully understand.

            For example, if I added an interface to and had a rule to allow 'any <-> any' but had a deny all in the OpenVPN tab, which would take take preference?

            1 Reply Last reply Reply Quote 0
            • RicoR
              Rico LAYER 8 Rebel Alliance
              last edited by

              deny all

              -Rico

              1 Reply Last reply Reply Quote 0
              • P
                powerextreme
                last edited by

                @Rico

                Let me flip it. If I had an OpenVPN tab rule for 'any <-> any' and had the following interface rules

                allow 'any' <-> IP1
                deny 'any' <-> IP2

                Would any traffic make it to IP2?

                V 1 Reply Last reply Reply Quote 0
                • V
                  viragomann @powerextreme
                  last edited by

                  @powerextreme
                  Yes. The conditions of the any to any rule on the OpenVPN tab will match the traffic and so the rule will be applied.

                  1 Reply Last reply Reply Quote 0
                  • P
                    powerextreme
                    last edited by

                    Re: Firewall Rules for OpenVPN Tab versus Interface Rules
                    @viragomann Thanks, so what is the point of having the interface? It seems like for now matter what OpenVPN instance I have I need to put the rules that affect that instance in OpenVPN tab.

                    1 Reply Last reply Reply Quote 0
                    • RicoR
                      Rico LAYER 8 Rebel Alliance
                      last edited by

                      https://docs.netgate.com/pfsense/en/latest/book/openvpn/assigning-openvpn-interfaces.html

                      -Rico

                      1 Reply Last reply Reply Quote 0
                      • P
                        powerextreme
                        last edited by

                        @Rico Thanks for the link! I don't know why I didn't go there first.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.