Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN (client/server) routing confusion

    Scheduled Pinned Locked Moved Firewalling
    4 Posts 2 Posters 456 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      bhjitsense
      last edited by

      I have an OpenVPN interface on 192.168.2.0/24. In the VPN tunnel settings I have the local network set to the entire 192.168.0.0/16 network to allow access to all subnets on my network. On my management subnet, I have a switch at 192.168.1.2. To play around, I set a rule on that management interface to block traffic from source 192.168.1.2. I assumed I would then not be able to access this switch at all via the VPN...but see that I'm able to. I can access via SSH and HTTP. Where am I wrong in my thinking? Why am I able to access this device? Is it due to a state being created and therefore bypassing all rules?

      1 Reply Last reply Reply Quote 0
      • V
        viragomann
        last edited by

        Firewall rules must be added to the interface where the initiate access is coming in.

        So if you want to block access to the switch from the other site of the OpenVPN go to the interface tab you have assigned to the vpn instance (or to the OpenVPN tab) and add a block rule to the top of the rule set with source = any and destination = 192.168.1.2.

        B 1 Reply Last reply Reply Quote 0
        • B
          bhjitsense @viragomann
          last edited by

          @viragomann I figured that would work. But i'm still curious why I would be able to interact with the switch at all with the current configuration. All ingress traffic from that switch has a source address of 192.168.1.2 which is blocked. Just trying to understand is all. Thanks!

          1 Reply Last reply Reply Quote 0
          • V
            viragomann
            last edited by

            The switch will not initiate any connection at all.
            pfSense decide to block a connection on basis of its initiate SYN packet. If the rules allow the SYN to pass, pfSense stores the connection state and let all subsequent packets of that connection pass as well (stateful filtering).
            So response packets of an already established connection are allowed to pass in any case.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.