Firewalling my VPN IPsec interface



  • Hello,

    Thanks in advance.  I have gotten some great help and learned a ton from this forum.

    Ok.  So i setup a VPN and can connect to it.  However, i dont seem to have internet access when i do.  My goal however is really only to allow access to one server over a few ports while connected.  But having internet access would be nice too for when im on public wifi.

    So i begin to setup the interface as i have done the LAN and OPT interface by adding an allow rule for that interface to any.  But for IPSEC interface, i dont have that option under source to choose the interface as i do on the other interfaces.

    Any suggestions?  What should be my basic rules here to allow internet and access to one server only?  Any other best practices to consider here?  Also note i use a double nat setup.  The server is on the LAN interface/subnet.

    Pics of my firewall rule below.  Thanks!


    ![firewall 2.png](/public/imported_attachments/1/firewall 2.png)
    ![firewall 2.png_thumb](/public/imported_attachments/1/firewall 2.png_thumb)



  • @ice_mf_mike:

    So i setup a VPN and can connect to it.  However, i dont seem to have internet access when i do.

    This sounds like you misconfigured you IPsec VPN (probably used 0.0.0.0/0 as destination subnet) so when the VPN is up, the kernel is trying to route everything through the VPN. Post your IPsec settings and we'll see.

    Regarding firewalling, remember that the rules in the IPsec tab apply for traffic incoming into the firewall (as any other rules do). So unless you want to allow something on the other end to initiate a connection to a device on your LAN or DMZ, leave those rules empty (blocking everything by default).

    Allowing access from LAN or DMZ to the other end of the tunnel is achieved through rules on those interfaces (although probably already allowed if you have a "LAN to any" rule or similar)



  • Yea i definitely screwed up the rules.  THis is where i am at now. Basically, i would ideally like to only allow access to this one machine on my LAN and also the internet.  Everything else including access to the firewall interface i want to block.  See attached.  WIth this configuration however i cant even access the server at that port i was hoping.

    Thanks.