Firewall Rules applied to L2TP VPN interface in pfSense 2.3.2


  • Banned

    I've configured L2TP over IPSec in pfSense and was able to connect to the WAN interface IP of pfSense from Mac OS 10.11.6 L2TP over IPSec tunnel.

    I've configured two firewall rules for L2TP over IPSec.

    1. Rule applied to the L2TP interface:

    Pass IPv4 (any protocol) | Source (any) | Destination (any)
    

    2. Rule applied to the IPSec interface:

    Pass IPv4 (any protocol) | Source (any) | Destination (any)
    

    I also have the following firewall rule applied to the LAN interface:

    Pass IPv4 (any protocol) | Source (Network: 192.168.200.0/24) | Destination (any) 
    

    I am able to ping host 192.168.200.30 (this host is on a LAN subnet one L3 hop away from the LAN interface on pfSense) from host 10.10.10.1 (this host is connected via L2TP over IPSec tunnel through pfSense WAN interface). I can see this connection in the firewall log with both lines having a green check mark in front of them:

    pass Aug 28 04:33:46 ► l2tp0 192.168.200.30 10.10.10.1 ICMP
    pass Aug 28 04:33:46 ► LAN 10.10.10.1 192.168.200.30 ICMP

    It seems that applying a firewall rule to the L2TP VPN interface has absolutely no effect, though. In fact, I tried to disable this rule, and I was still able to establish the L2TP over IPSec tunnel and ping from the host connected via the L2TP over IPSec tunnel to the host off the LAN interface of pfSense. I was also able to ping from a host off the LAN interface of pfSense to the host connected to pfSense via the L2TP over IPSec tunnel.

    When it comes to L2TP VPN interface and IPSec Interface, which direction is considered IN and which OUT for these interfaces? Is the direction of traffic from the VPN client into the LAN considered to be IN for the IPSec interface and IN for the L2TP VPN interface, and the direction from the LAN to the VPN client considered to be OUT for both of these virtual nterfaces?

    I can block pings from a host on the LAN to the host connected via L2TP over IPSec by disabling the firewall rule applied to the pfSense LAN interface, which (when enabled) passes traffic from this LAN segment to any destination. When I disabled this rule, I saw its effect in that traffic from the LAN to the VPN client was blocked. However, I could not block traffic from the host connected via L2TP over IPSec to the host on the LAN segment by disabling the rule applied to the L2TP VPN interface, so in my opinion, applying firewall rules to the L2TP VPN interface (or disabling such firewall rules) has no effect.

    Could someone explain that?

    Thank you.


Log in to reply