[solved] OpenVPN Client Interface not triggering rules and pass

papounetgate

Hello,

I have a 2.5.2 version with 3 OpenVPNClient (VYPRVPN1-3) in SSL/TLS connected to a VPN Provider. I do not have any floating rules.
The only specifity is I am routing all my outgoing traffic trough VYPRVPN1 interface.
I have a NAT & FW rule on a TCP port on the WAN Interface and the rule is triggered as it should. But on the VYPRVPN1 Interface with also a NAT & FW rule, nothing is triggered (nothing in the FW Log) and even If I remove the FW rule it still work... Of course if I remove the NAT rule it stop working.
So it look like an OpenVpn Interface Client does not go through FW stack.
I definitively must miss something but I do not know what...

Thanks for your help or explanation...
P.

viragomann

@papounetgate said in OpenVPN Client Interface not triggering rules and pass:

But on the VYPRVPN1 Interface with also a NAT & FW rule, nothing is triggered (nothing in the FW Log)

Rules on interfaces are only applied to inbound connections.
So are you awaiting incoming traffic on this interface? Or what are you trying to achieve with theses rules?

papounetgate

@viragomann :

Thank you for answering me.

Yes i am speaking of inboud traffic.
So let's be more precise: I have a SSH server running on port 10001, and I want to have it accessible from my VPNClient VYPRPN1 Interface.

For all the test, I disabled pfBlockerNG to have no floating rules at all.
For all the test I will put the rule on top with Log on. I have only The Block Private Network & Bogon Network before.

First Test: To WAN Interface with Firewall Rule
Enable NAT on WAN Interface & WAN Firewall Rule
Internet->WAN IP>Work (And I see Pass in the log)

If I disable the WAN Firewall Rule then it stop working which is what we all expect...

Second Test: To VYPRVPN Interface with Firewall rule
Disable NAT on WAN Interface & WAN Firewall Rule
Enable NAT on VYPRVPN Interface & VYPRVPN Firewall Rule
Internet->VYPRPN IP: Work but No Log in Firewall.

Third Test: To VYPRVPN Interface with Firewall rule
Disable NAT on WAN Interface & WAN FW Rule
Disable VYPRVPN Firewall Rule (Still have NAT rule of course...)
Internet->VYPRPN IP->Work (!)

So I do not get It...

As I am using pfsense for very long time, I have another Old hardware on which I did a fresh Install and reload the Conf from my current configuration and I have exactly the same behavior.

viragomann

@papounetgate
Possibly a firewall rule on the OpenVPN tab allowing the access?

Consider that the OpenVPN tab is an interface group including all OpenVPN instances (client and servers) running on pfSense. It is implicitly added when you set up a client or server.
When you go through the wizard to set up an access server, it adds an allow any to any rule to this interface group.

Also consider that disabling a pass rule does not cut existing connection. You have to kill the states for taking effect imitatively.

papounetgate

@viragomann

Yes that's it ! Thank your Viragomann, it was linked to the OpenVPN Interface created for server and client OpenVPN with an any to any rule (by the way it is strange to create such permissive rule by default...) . So thank you for your help.

However I do not catch how to avoid duplicating or moving all OpenVpn Interfaces rule to this Group Interface.
As I have 3 OpenVPN Client interface (VYPRVPN1-3), I was managing rules for each interface, which seems to become useless as the group interface OpenVPN is preempting everything... So the best practice is to move all my rules for my 3 Interfaces ( VYPRVPN1-3) to the OpenVPN group interface ? Or is there any way to inhibit this group Interface and use rules for each interfaces ?

And again thank you !

viragomann

@papounetgate said in OpenVPN Client Interface not triggering rules and pass:

by the way it is strange to create such permissive rule by default...

That is done by the access server wizard, which seems a good help to start with the server, but sadly it doesn't respect OpenVPN clients which are affected as well.

You can either assign interfaces to your servers as well and create the needed rules on their interface tabs and remove all rules from the OpenVPN tab, or simply restrict the source in OpenVPN pass rule to the access servers tunnel network, so they will not affect incoming traffic on the client connections.

papounetgate

@viragomann

Thank you very much Viragomann it is now crystall clear.
So I kept few rules on OpenVPN group interface (one on 1194 for OpenVpnServer for remote Client, one on 1195 for OpenVpnServer for Site2Site , and the LAN sources for the Site2Site) and thats all.
I then kept all my other VYPVPNx interfaces rules.

Again thanks as I will was a little bit lost...

stephenw10

@papounetgate said in OpenVPN Client Interface not triggering rules and pass:

So I kept few rules on OpenVPN group interface (one on 1194 for OpenVpnServer for remote Client, one on 1195 for OpenVpnServer for Site2Site

Rules to allow encrypted traffic to reach the servers should be on the WAN not the OpenVPN interface which only deals with traffic inside the tunnel.

Steve

papounetgate

@stephenw10 Thank you very much Steve for the info, I will take it in account.