OpenVPN (client/server) routing confusion



  • I have an OpenVPN interface on 192.168.2.0/24. In the VPN tunnel settings I have the local network set to the entire 192.168.0.0/16 network to allow access to all subnets on my network. On my management subnet, I have a switch at 192.168.1.2. To play around, I set a rule on that management interface to block traffic from source 192.168.1.2. I assumed I would then not be able to access this switch at all via the VPN...but see that I'm able to. I can access via SSH and HTTP. Where am I wrong in my thinking? Why am I able to access this device? Is it due to a state being created and therefore bypassing all rules?



  • Firewall rules must be added to the interface where the initiate access is coming in.

    So if you want to block access to the switch from the other site of the OpenVPN go to the interface tab you have assigned to the vpn instance (or to the OpenVPN tab) and add a block rule to the top of the rule set with source = any and destination = 192.168.1.2.



  • @viragomann I figured that would work. But i'm still curious why I would be able to interact with the switch at all with the current configuration. All ingress traffic from that switch has a source address of 192.168.1.2 which is blocked. Just trying to understand is all. Thanks!



  • The switch will not initiate any connection at all.
    pfSense decide to block a connection on basis of its initiate SYN packet. If the rules allow the SYN to pass, pfSense stores the connection state and let all subsequent packets of that connection pass as well (stateful filtering).
    So response packets of an already established connection are allowed to pass in any case.