OVPN client to pfSense: I want only internet access?
-
Hello :D
What kind of firewall rules would I need to achieve that, when I am abroad and connect via 4G to my pfSense, I can only use my pfSense to access the internet?
I don't want to be able to connect to local LANs or VLANs: only use my pfSense to have a trusted gateway instead of mobile operator or public WIFI.
Thank you for any help :P
Bye :)
-
Edit, I think I can do it with a 'not' rule I now realize, but:
A. Do I need to add that as a firewall rule, or a firewall/openvpn rule?
B. How can you be assured the 'not' rule always contains all the LANs and VLANs, also when you add one or more later**?** (in our ERP systems we can arrange solutions like that easily, but I don't know how to do it in pfSense?). -
So, you want all of your VPN traffic routed down the tunnel and you don't want to be able to access your LAN? That's pretty straight forward:
-
Enable the "Redirect Gateway" option in your config.
-
Leave the "IPv4 Local network(s)" empty
-
As a secondary measure, you can add block rules on your LAN interfaces for traffic sourced from the tunnel network configured on your Remote Access Server
-
-
"Not" rules should not be used to block traffic.
Block the local networks as destinations on the OpenVPN rules then pass any.
-
Thank you both for your replies :)
Derelict, per your previous reply to me: this time in this thread I do realize I gave too little information, sorry :'(
My situation is twofold:
1. I have road warriors: these should not be able to access LAN and VLAN: internet only'
2. There is also site to site (S2S), Synologies that need to sync to remote sites.I've been trying to set this up in Firewall/Rules/OpenVPN, but many things apparently were wrong, because both road warrior tunnel and S2S tunnel stopped working.
For road warrior, I added:
A top block rule: SRC 192.168.100.0/24 (= tunnel network), DEST ALIAS_LOCAL_LANS.
A pass rule: SRC 192.168.100.0/24 (= tunnel network), DEST any.The server refused to start. So I next added the normal smartphone VLAN: 192.168.7.0/24 as a SRC. Server didn't want to start either.
Now for the extra special thing:
The S2S server also didn't want to start, complaining about 192.168.100.2, which is an IP for the road warrior, not for the tunnel.
So I deleted all rules and put in the ALL ALL ALL rule.
The ' funny' thing was: apparently OpenVPN choked on it, because in Status/Services I could not restart the service (the little green icon kept on turning around), and I also couldn't stop the service (the stop icon kept on turning too, together with the restart icon that also kept on turning). So I had to reboot the box.
How could I fix my OpenVPN firewall rules for both road warrior and S2S? And do I need FW rules on the S2S client too, or only on the server?
Ideally, btw, I wouldn't want a block rule with the full 192.168.100.0/24 network in it; I would want it to be like in my LANs, where all clients have static IP. The problem is: in OpenVPN I can not add static IP's for the smartphones.
Would setting up OpenVPN as an interface solve this, or will I be causing more new problems then?
Thank you for your help :D
Bye,
-
I would run a separate OpenVPN instance for the Road Warriors and another for the Site-to-Site.
I would assign interfaces to both.
I would remove all rules from the OpenVPN tab.
Then put the rules governing traffic allowed from the synologies on that instance and the rules governing traffic from the road warriors on that one.
They should both have separate tunnel networks so you could also just use that as the source address for the road warrior rules on the OpenVPN group tab without the assigned interfaces. Then use the tunnel network and the remote networks for the site-to-site in the same manner.
At least a couple ways to accomplish the task. Sort of depends on what you want to do.
-
For road warrior, I added:
A top block rule: SRC 192.168.100.0/24 (= tunnel network), DEST ALIAS_LOCAL_LANS.
A pass rule: SRC 192.168.100.0/24 (= tunnel network), DEST any.The server refused to start.
OpenVPN firewall rules have zero bearing on whether a server will start or not. Even the rule on WAN that passes traffic to the server itself (UDP/1194) will not prevent the server from starting - it just won't receive any connections.
I have noticed a trend that you tend to blame completely unrelated causes for the effects you are seeing. Maybe slow down a little, think things through, and read more documentation.
-
@Mr.:
The problem is: in OpenVPN I can not add static IP's for the smartphones.
You can set static IP's in OpenVPN using Client Specific Overrides, not necessary to create a specific pfSense interface for that.