HELP: Firewall Settings for Remote Networks over VPN
-
Dear Forum,
I have had great success with OpenVPN thus far, but I would like assistance regarding how to setup firewall rules on the VPN1 interface so that I can control traffic of individual Remote Network IPs.
My OpenVPN server has the following settings:
IPv4 Tunnel Network: 10.0.8.0/24
IPv4 Remote Networks: 172.31.162.0/24, 172.31.163.0/24Client Specific Override #1: IPv4 Remote Network: 172.31.162.0/24; IPv4 Local Network 172.31.163.0/24
Client Specific Override #2: IPv4 Remote Network: 172.31.163.0/24; IPv4 Local Network 172.31.162.0/24OpenVPN Interface: VPN1
At 172.31.162.1 - Remote Site Router with OpenVPN client, it receives tunnel IP 10.0.8.3
At 172.31.163.1 - Remote Site Router with OpenVPN client, it receives tunnel IP 10.0.8.2I would like to avoid having to put any Security/Firewall rules at the Router to control traffic out from the IPv4 Remote Networks. I would like to put all the rules at PFSense.
My Current Communication Traffic Flow, when Firewall rules are wide open is such:
PLC-Programmable Logic Controller.
PLC1 at 172.31.162.2:44818 communicates with –> PLC2 172.31.163.2:44818 and vice versa.
However, all PFSense seems to see over VPN1 interface is the remote network to Router Tunnel IP traffic, for ex:
21:02:35.686906 IP 10.0.8.3.2520 > 172.31.162.2.44818: tcp 74
21:02:35.686932 IP 10.0.8.3.2520 > 172.31.162.2.44818: tcp 74
21:02:35.884831 IP 172.31.162.2.44818 > 10.0.8.3.2520: tcp 0
21:02:35.884836 IP 172.31.162.2.44818 > 10.0.8.3.2520: tcp 0
21:02:35.884844 IP 172.31.162.2.44818 > 10.0.8.3.2520: tcp 56
21:02:35.884846 IP 172.31.162.2.44818 > 10.0.8.3.2520: tcp 56
21:02:36.106802 IP 10.0.8.3.2520 > 172.31.162.2.44818: tcp 0
21:02:36.106820 IP 10.0.8.3.2520 > 172.31.162.2.44818: tcp 0
21:02:36.765899 IP 10.0.8.2.4958 > 172.31.163.2.44818: tcp 88
21:02:36.765918 IP 10.0.8.2.4958 > 172.31.163.2.44818: tcp 88
21:02:36.844922 IP 172.31.163.2.44818 > 10.0.8.2.4958: tcp 0
21:02:36.844929 IP 172.31.163.2.44818 > 10.0.8.2.4958: tcp 0
21:02:36.866819 IP 172.31.163.2.44818 > 10.0.8.2.4958: tcp 70
21:02:36.866827 IP 172.31.163.2.44818 > 10.0.8.2.4958: tcp 70
21:02:36.922830 IP 10.0.8.2.4958 > 172.31.163.2.44818: tcp 66
21:02:36.922837 IP 10.0.8.2.4958 > 172.31.163.2.44818: tcp 66
21:02:36.967478 IP 172.31.163.2.44818 > 10.0.8.2.4958: tcp 92
21:02:36.967486 IP 172.31.163.2.44818 > 10.0.8.2.4958: tcp 92
21:02:37.004798 IP 10.0.8.2.4958 > 172.31.163.2.44818: tcp 64
21:02:37.004806 IP 10.0.8.2.4958 > 172.31.163.2.44818: tcp 6If I do a Traceroute when connected locally to one of the Remote Site Routers (172.31.162.1):
tracert 172.31.163.2
Tracing route to 172.31.163.2 over a maximum of 30 hops
1 <1 ms <1 ms <1 ms 172.31.162.1
2 39 ms 36 ms 37 ms 10.0.8.1
3 175 ms 93 ms 78 ms 10.0.8.3
4 243 ms 112 ms 82 ms 172.31.163.2I can see all the hops as the traffic passes from the Remote Site Router (172.31.162.1)->PFSense Tunnel IP (10.0.8.1)->through the Tunnel Client IP of the other Remote Site Router (10.0.8.3)->PLC1 (172.31.163.2).
My Issue is that I cannot do a simple firewall rule of end to end points:
Source IP Source Port Destination IP Destination Port
172.31.162.2 44818 172.31.163.2 44818The above firewall rule never works because PFSense only sees Tunnel to End point or Starting Point to Tunnel traffic as shown in the above capture. Thus, the only rules that work are as such:
Source IP Source Port Destination IP Destination Port
10.0.8.3 * 172.31.162.2 44818
172.31.163.2 44818 10.0.8.2 *
VPN1 Network * 172.31.162.2 44818
172.31.163.2 44818 VPN1 Network *This would be okay if I only had 1 remote network device connected to router. However, in most cases I have multiple IPs at each remote network, so I need to have more IP specific control. Thus, a static IPv4 Tunnel Network address for the Client Specific Override is useless.
If you look at the attached OpenVPN Status screenshot, PFSense sees the end devices such as 172.31.162.2C and 172.31.163.2C (denoted by letter C). So there must be a way to have a really IP specific Source IP to Destination IP firewall rule, without having to specify the Router Tunnel Client IPs.
I would really like to avoid having a remote site firewall to control the outbound traffic from the remote routers. Any idea on how to get the following simple rule working?
Desired Firewall Rule:
Source IP Source Port Destination IP Destination Port
172.31.162.2 44818 172.31.163.2 44818I have attached all screenshots of my current settings. Any help would be appreciated. Thanks.
Capture.txt -
Basically, how to do firewall rules on the "REAL" source IP? Not the OpenVPN client IP. The packet capture feature of PFSense never shows the source IP but the OpenVPN client IP.
-
Disable S-NAT on the clients.
I guess the clients are a sort of consumer routers. These often do S-NAT on outgoing interfaces by default. -
Disable S-NAT on the clients.
I guess the clients are a sort of consumer routers. These often do S-NAT on outgoing interfaces by default.Hi Viragomann,
Thanks for your help.
My Client is a Sierra Wireless RV50 Cellular gateway. It has a built in OpenVPN Tunnel Client. There aren't too much settings in it. I disabled NAT on the Single Ethernet port to it.
Would it be possible to force a client setting to it through the PFSense Open VPN Server? i.e. disable SNAT on all OpenVPN Clients?
-
No, NAT has nothing to do with OpenVPN. It's just a router function. It translates the source address in outgoing packets to the routers interface address. That should simplify the inter-network communication between the devices, but it isn't desired in every environment.
In this case the interface is the virtual VPN interface. There's no way to control that on the OpenVPN server. -
I found the setting in the Sierra Wireless RV50 OpenVPN Tunnel settings. There is a setting called NAT, which I had to set to disable. After I disabled it, the SNAT was removed and the true source IPs are now visible. Thanks.