Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    What FW Rule do I need to allow users internet access?

    Scheduled Pinned Locked Moved OpenVPN
    3 Posts 3 Posters 392 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      behemyth
      last edited by behemyth

      How do I allow a client access to the internet when they are connected to the VPN? I have a rule allowing them to hit the DNS servers, but any rule I make allowing the traffic to WAN NET or WAN address all fail. I dont want to put in a default allow rule to allow any traffic anywhere on my network.

      What am I missing?

      V M 2 Replies Last reply Reply Quote 0
      • V
        viragomann @behemyth
        last edited by

        @behemyth
        WAN address is only the WAN IP and WAN net it's subnet. Access to any of them is not what you want for the VPN client.
        If you want to prohibit access to your local network, you can either add a block rule with your internal network as destination above of the pass rule or exclude your internal network from the pass rule. The latter can be done by checking "invert" at destination and enter your local subnets.

        In both cases if you have multiple internal subnets you should add them to an alias and use this one in the destination section of the rule.
        It's generally a good advice to have an alias including all RFC1918 networks. So you can use this one to ensure that the rule includes all internal networks.

        If you use the pass rule, consider to put it below the allow-DNS rule.

        1 Reply Last reply Reply Quote 0
        • M
          marvosa @behemyth
          last edited by

          @behemyth said in What FW Rule do I need to allow users internet access?:

          How do I allow a client access to the internet when they are connected to the VPN? I have a rule allowing them to hit the DNS servers, but any rule I make allowing the traffic to WAN NET or WAN address all fail. I dont want to put in a default allow rule to allow any traffic anywhere on my network.

          What am I missing?

          There are a few different ways to do it:

          One option:

          1. Pass - Tunnel Network/DNS server Alias
          2. Block - Tunnel Network/LAN net (or alias for multiple networks)
          3. Pass - Tunnel Network/any

          Another option:

          1. Pass - Tunnel Network/DNS server Alias
          2. Pass - Tunnel Network/Invert Match LAN net (or alias for multiple networks)

          Also, considering there's no local access... unless there's a reason you want your clients using your DNS server(s), I would actually remove access to DNS altogether and push them Google DNS.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.