HELP: Firewall Settings for Remote Networks over VPN



  • Dear Forum,

    I have had great success with OpenVPN thus far, but I would like assistance regarding how to setup firewall rules on the VPN1 interface so that I can control traffic of individual Remote Network IPs.

    My OpenVPN server has the following settings:

    IPv4 Tunnel Network: 10.0.8.0/24
    IPv4 Remote Networks: 172.31.162.0/24, 172.31.163.0/24

    Client Specific Override #1: IPv4 Remote Network: 172.31.162.0/24; IPv4 Local Network 172.31.163.0/24
    Client Specific Override #2: IPv4 Remote Network: 172.31.163.0/24; IPv4 Local Network 172.31.162.0/24

    OpenVPN Interface: VPN1

    At 172.31.162.1 - Remote Site Router with OpenVPN client, it receives tunnel IP 10.0.8.3
    At 172.31.163.1 - Remote Site Router with OpenVPN client, it receives tunnel IP 10.0.8.2

    I would like to avoid having to put any Security/Firewall rules at the Router to control traffic out from the IPv4 Remote Networks. I would like to put all the rules at PFSense.

    My Current Communication Traffic Flow, when Firewall rules are wide open is such:

    PLC-Programmable Logic Controller.

    PLC1 at 172.31.162.2:44818 communicates with –> PLC2 172.31.163.2:44818 and vice versa.

    However, all PFSense seems to see over VPN1 interface is the remote network to Router Tunnel IP traffic, for ex:

    21:02:35.686906 IP 10.0.8.3.2520 > 172.31.162.2.44818: tcp 74
    21:02:35.686932 IP 10.0.8.3.2520 > 172.31.162.2.44818: tcp 74
    21:02:35.884831 IP 172.31.162.2.44818 > 10.0.8.3.2520: tcp 0
    21:02:35.884836 IP 172.31.162.2.44818 > 10.0.8.3.2520: tcp 0
    21:02:35.884844 IP 172.31.162.2.44818 > 10.0.8.3.2520: tcp 56
    21:02:35.884846 IP 172.31.162.2.44818 > 10.0.8.3.2520: tcp 56
    21:02:36.106802 IP 10.0.8.3.2520 > 172.31.162.2.44818: tcp 0
    21:02:36.106820 IP 10.0.8.3.2520 > 172.31.162.2.44818: tcp 0
    21:02:36.765899 IP 10.0.8.2.4958 > 172.31.163.2.44818: tcp 88
    21:02:36.765918 IP 10.0.8.2.4958 > 172.31.163.2.44818: tcp 88
    21:02:36.844922 IP 172.31.163.2.44818 > 10.0.8.2.4958: tcp 0
    21:02:36.844929 IP 172.31.163.2.44818 > 10.0.8.2.4958: tcp 0
    21:02:36.866819 IP 172.31.163.2.44818 > 10.0.8.2.4958: tcp 70
    21:02:36.866827 IP 172.31.163.2.44818 > 10.0.8.2.4958: tcp 70
    21:02:36.922830 IP 10.0.8.2.4958 > 172.31.163.2.44818: tcp 66
    21:02:36.922837 IP 10.0.8.2.4958 > 172.31.163.2.44818: tcp 66
    21:02:36.967478 IP 172.31.163.2.44818 > 10.0.8.2.4958: tcp 92
    21:02:36.967486 IP 172.31.163.2.44818 > 10.0.8.2.4958: tcp 92
    21:02:37.004798 IP 10.0.8.2.4958 > 172.31.163.2.44818: tcp 64
    21:02:37.004806 IP 10.0.8.2.4958 > 172.31.163.2.44818: tcp 6

    If I do a Traceroute when connected locally to one of the Remote Site Routers (172.31.162.1):

    tracert 172.31.163.2

    Tracing route to 172.31.163.2 over a maximum of 30 hops

    1    <1 ms    <1 ms    <1 ms  172.31.162.1
      2    39 ms    36 ms    37 ms  10.0.8.1
      3  175 ms    93 ms    78 ms  10.0.8.3
      4  243 ms  112 ms    82 ms  172.31.163.2

    I can see all the hops as the traffic passes from the Remote Site Router (172.31.162.1)->PFSense Tunnel IP (10.0.8.1)->through the Tunnel Client IP of the other Remote Site Router (10.0.8.3)->PLC1 (172.31.163.2).

    My Issue is that I cannot do a simple firewall rule of end to end points:

    Source IP          Source Port      Destination IP      Destination Port
    172.31.162.2      44818            172.31.163.2      44818

    The above firewall rule never works because PFSense only sees Tunnel to End point or Starting Point to Tunnel traffic as shown in the above capture. Thus, the only rules that work are as such:

    Source IP          Source Port      Destination IP      Destination Port
    10.0.8.3            *                    172.31.162.2      44818
    172.31.163.2      44818            10.0.8.2              *
    VPN1 Network    *                    172.31.162.2      44818
    172.31.163.2      44818            VPN1 Network              *

    This would be okay if I only had 1 remote network device connected to router. However, in most cases I have multiple IPs at each remote network, so I need to have more IP specific control. Thus, a static IPv4 Tunnel Network address for the Client Specific Override is useless.

    If you look at the attached OpenVPN Status screenshot, PFSense sees the end devices such as 172.31.162.2C and 172.31.163.2C (denoted by letter C). So there must be a way to have a really IP specific Source IP to Destination IP firewall rule, without having to specify the Router Tunnel Client IPs.

    I would really like to avoid having a remote site firewall to control the outbound traffic from the remote routers. Any idea on how to get the following simple rule working?

    Desired Firewall Rule:

    Source IP          Source Port      Destination IP      Destination Port
    172.31.162.2      44818            172.31.163.2      44818

    I have attached all screenshots of my current settings. Any help would be appreciated. Thanks.

    ![OpenVPN Status.png](/public/imported_attachments/1/OpenVPN Status.png)
    ![OpenVPN Status.png_thumb](/public/imported_attachments/1/OpenVPN Status.png_thumb)
    ![OpenVPN Server Settings.png](/public/imported_attachments/1/OpenVPN Server Settings.png)
    ![OpenVPN Server Settings.png_thumb](/public/imported_attachments/1/OpenVPN Server Settings.png_thumb)
    ![Client Specific Overrides.png](/public/imported_attachments/1/Client Specific Overrides.png)
    ![Client Specific Overrides.png_thumb](/public/imported_attachments/1/Client Specific Overrides.png_thumb)




    Capture.txt



  • Basically, how to do firewall rules on the "REAL" source IP? Not the OpenVPN client IP. The packet capture feature of PFSense never shows the source IP but the OpenVPN client IP.



  • Disable S-NAT on the clients.
    I guess the clients are a sort of consumer routers. These often do S-NAT on outgoing interfaces by default.



  • @viragomann:

    Disable S-NAT on the clients.
    I guess the clients are a sort of consumer routers. These often do S-NAT on outgoing interfaces by default.

    Hi Viragomann,

    Thanks for your help.

    My Client is a Sierra Wireless RV50 Cellular gateway. It has a built in OpenVPN Tunnel Client. There aren't too much settings in it. I disabled NAT on the Single Ethernet port to it.

    Would it be possible to force a client setting to it through the PFSense Open VPN Server? i.e. disable SNAT on all OpenVPN Clients?



  • No, NAT has nothing to do with OpenVPN. It's just a router function. It translates the source address in outgoing packets to the routers interface address. That should simplify the inter-network communication between the devices, but it isn't desired in every environment.
    In this case the interface is the virtual VPN interface. There's no way to control that on the OpenVPN server.



  • I found the setting in the Sierra Wireless RV50 OpenVPN Tunnel settings. There is a setting called NAT, which I had to set to disable. After I disabled it, the SNAT was removed and the true source IPs are now visible. Thanks.


Log in to reply