Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN firewall - blocking traffic

    Scheduled Pinned Locked Moved OpenVPN
    2 Posts 2 Posters 2.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      tester_02
      last edited by

      I have an openvpn setup that I want to limit to only specific protocols and I can't seem to be able to block with the firewall.

      Setup
      My Side is the openvpn server (peer to peer).
      I have an interface assigned to it.

      I even tried a block all on the openvpn adapter as well as the OPT1 adapter (even the wan and lan), and there was no change in the firewall.  I've tried blocking by network, adapter address and no change.  The only way to block is to block on the client side. No matter what, all traffic comes through and I can't block.
      Is this correct that you can only block on the client side?  it seems very strange to me.

      I've found 2 similar questions in the forums, but both had no answer.  Any information would be appreciated.

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        Firewall rules are generally used to block connections coming into the firewall on an interface.

        If you want to stop hosts on LAN from making certain connections, then you place those block rules on LAN.

        If you want to block connections coming in from remote OpenVPN sites, you put those rules on OpenVPN.

        If you want to block connections going to a remote OpenVPN site, then either block them on the incoming interface (like LAN) or block them at the remote side inbound on OpenVPN. They are the ones "locking their door" against incoming connections.

        It's possible to block in the outbound direction using floating rules.

        If you think about the security aspects of what the firewall is supposed to be doing, this is really the only model that makes any sense.

        https://doc.pfsense.org/index.php/Firewall_Rule_Basics

        https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.