• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Firewalling my VPN IPsec interface

Scheduled Pinned Locked Moved Firewalling
3 Posts 2 Posters 367 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • I
    ice_mf_mike
    last edited by Apr 12, 2018, 12:42 AM

    Hello,

    Thanks in advance.  I have gotten some great help and learned a ton from this forum.

    Ok.  So i setup a VPN and can connect to it.  However, i dont seem to have internet access when i do.  My goal however is really only to allow access to one server over a few ports while connected.  But having internet access would be nice too for when im on public wifi.

    So i begin to setup the interface as i have done the LAN and OPT interface by adding an allow rule for that interface to any.  But for IPSEC interface, i dont have that option under source to choose the interface as i do on the other interfaces.

    Any suggestions?  What should be my basic rules here to allow internet and access to one server only?  Any other best practices to consider here?  Also note i use a double nat setup.  The server is on the LAN interface/subnet.

    Pics of my firewall rule below.  Thanks!
    vpnfirewall.png
    vpnfirewall.png_thumb
    ![firewall 2.png](/public/imported_attachments/1/firewall 2.png)
    ![firewall 2.png_thumb](/public/imported_attachments/1/firewall 2.png_thumb)

    1 Reply Last reply Reply Quote 0
    • G
      georgeman
      last edited by Apr 23, 2018, 12:18 AM

      @ice_mf_mike:

      So i setup a VPN and can connect to it.  However, i dont seem to have internet access when i do.

      This sounds like you misconfigured you IPsec VPN (probably used 0.0.0.0/0 as destination subnet) so when the VPN is up, the kernel is trying to route everything through the VPN. Post your IPsec settings and we'll see.

      Regarding firewalling, remember that the rules in the IPsec tab apply for traffic incoming into the firewall (as any other rules do). So unless you want to allow something on the other end to initiate a connection to a device on your LAN or DMZ, leave those rules empty (blocking everything by default).

      Allowing access from LAN or DMZ to the other end of the tunnel is achieved through rules on those interfaces (although probably already allowed if you have a "LAN to any" rule or similar)

      If it ain't broke, you haven't tampered enough with it

      1 Reply Last reply Reply Quote 0
      • I
        ice_mf_mike
        last edited by Apr 25, 2018, 1:50 AM

        Yea i definitely screwed up the rules.  THis is where i am at now. Basically, i would ideally like to only allow access to this one machine on my LAN and also the internet.  Everything else including access to the firewall interface i want to block.  See attached.  WIth this configuration however i cant even access the server at that port i was hoping.

        Thanks.

        ipsecfirewall.png
        ipsecfirewall.png_thumb

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
          This community forum collects and processes your personal information.
          consent.not_received