PfBlockerNG Rules Not Applied to OpenVPN Interface
-
I'm not sure whether this is a bug, expected behavior, or I am missing something obvious. But the IP blocklists I create with PFBlockerNG only work for the LAN and WAN interfaces. They do not apply to the OpenVPN interface.
As one can see in the attached images, I have configured PFBlockerNG to automatically apply any rules created to the OpenVPN interface. However, when you view the OpenVPN interface, no PFBlockerNG rules are applied. In contrast, the PFBlockerNG rules are applied to both the LAN and WAN interfaces.
I have also tested the block rules. Pinging blocked IP addresses from the LAN works as expected (requests are blocked). However, pinging blocked IP addresses from a client connected to the network via OpenVPN is not blocked.
Based on the UI, the behavior I expect to occur is that any rules created by PFBlockerNG to block access from the LAN to specific IP ranges would also be applied to clients connected via OpenVPN (i.e., if a PFBlockerNG rule prevents access to 1.2.3.4 from the LAN, a client connected via OpenVPN should also not be able to access 1.2.3.4).
Any help would be greatly appreciated.
-
I don't use OpenVPN, but I will take a look at the code and let you know… Was it working in the past, and just stopped working now?
-
I don't use OpenVPN, but I will take a look at the code and let you know… Was it working in the past, and just stopped working now?
More like it was never working. I set up OpenVPN first and only recently started using PFBlocker. It hasn't worked at all for me, but I only started using PFSense as of the 2.3.1 release. For all I know, it may or may not have worked in earlier versions.
Thanks for being willing to look at the code for this. If you need any more information, please let me know.
-
Is your OpenVPN a "Server" or "Client" configuration? Do you want both "Inbound" and "Outbound" auto-rules to be created?
I have a fix that will add "Outbound" auto-rules for a OpenVPN "Server" config, and add both "In/Outbound" auto-rules for a "Client" configuration….
Typically, with OpenVPN, you assign an interface in the Interface tab, and it will show in the pfBlockerNG In/Outbound Interface options. The checkbox option, is for some corner-cases where there is no interface assigned and there is no Interface listed in the drop-down menu.
-
Is your OpenVPN a "Server" or "Client" configuration? Do you want both "Inbound" and "Outbound" auto-rules to be created?
I have a fix that will add "Outbound" auto-rules for a OpenVPN "Server" config, and add both "In/Outbound" auto-rules for a "Client" configuration….
Typically, with OpenVPN, you assign an interface in the Interface tab, and it will show in the pfBlockerNG In/Outbound Interface options. The checkbox option, is for some corner-cases where there is no interface assigned and there is no Interface listed in the drop-down menu.
My OpenVPN is a server configuration (think "road warrior" setup with mobile clients connecting). So my use case is that I want to apply the same PFBlockerNG outbound rules I use for local clients to road warrior clients connected through the VPN for ad-blocking and content blocking purposes. So it sounds like your fix would address my problem.
