Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Firewalling my VPN IPsec interface

    Firewalling
    2
    3
    269
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I
      ice_mf_mike last edited by

      Hello,

      Thanks in advance.  I have gotten some great help and learned a ton from this forum.

      Ok.  So i setup a VPN and can connect to it.  However, i dont seem to have internet access when i do.  My goal however is really only to allow access to one server over a few ports while connected.  But having internet access would be nice too for when im on public wifi.

      So i begin to setup the interface as i have done the LAN and OPT interface by adding an allow rule for that interface to any.  But for IPSEC interface, i dont have that option under source to choose the interface as i do on the other interfaces.

      Any suggestions?  What should be my basic rules here to allow internet and access to one server only?  Any other best practices to consider here?  Also note i use a double nat setup.  The server is on the LAN interface/subnet.

      Pics of my firewall rule below.  Thanks!


      ![firewall 2.png](/public/imported_attachments/1/firewall 2.png)
      ![firewall 2.png_thumb](/public/imported_attachments/1/firewall 2.png_thumb)

      1 Reply Last reply Reply Quote 0
      • G
        georgeman last edited by

        @ice_mf_mike:

        So i setup a VPN and can connect to it.  However, i dont seem to have internet access when i do.

        This sounds like you misconfigured you IPsec VPN (probably used 0.0.0.0/0 as destination subnet) so when the VPN is up, the kernel is trying to route everything through the VPN. Post your IPsec settings and we'll see.

        Regarding firewalling, remember that the rules in the IPsec tab apply for traffic incoming into the firewall (as any other rules do). So unless you want to allow something on the other end to initiate a connection to a device on your LAN or DMZ, leave those rules empty (blocking everything by default).

        Allowing access from LAN or DMZ to the other end of the tunnel is achieved through rules on those interfaces (although probably already allowed if you have a "LAN to any" rule or similar)

        If it ain't broke, you haven't tampered enough with it

        1 Reply Last reply Reply Quote 0
        • I
          ice_mf_mike last edited by

          Yea i definitely screwed up the rules.  THis is where i am at now. Basically, i would ideally like to only allow access to this one machine on my LAN and also the internet.  Everything else including access to the firewall interface i want to block.  See attached.  WIth this configuration however i cant even access the server at that port i was hoping.

          Thanks.


          1 Reply Last reply Reply Quote 0
          • First post
            Last post