pfsense bypasses firewall rule



  • Hi. I won't detail exacly the background on what i'm trying to accomplish because that's a complicated story.

    my issue is: i have setup openvpn server in pfsense. it is working and clients can connect. i'm using certificate auth.

    i need to block a certain IP address from connecting, even with valid authentication, and for that i was expecting that creating a rule before my allow vpn rule would do it. somehow, pfsense is bypassing the rules i set for the vpn traffic.

    my vpn server listens on 4501 port. (you can ignore the 0 states on the bottom pass rule)

    0_1545331847259_firewall.jpg

    my expectation is that client from 123.123.123.123 (sample ip) wouldn't connect, but they do



  • are those your WAN rules?



  • yes



  • If the connection is active when you hit save you may have to flush your states to take down the connection..



  • i went as far as rebooting pfsense entirely to ensure the new rules would take place. but they didn't affect the traffic. i also went advanced settings and under "Firewall & NAT" i have checked the option "Disable all auto-added VPN rules."



  • This client is coming in via the WAN right?



  • yes... so client hits the WAN interface, which is listening on 4501/udp. they should hit the firewall rule in the order i displayed



  • what is interesting is that when i check states, the connection is shown on the loopback interface. maybe this has some correlation

    0_1545333616234_states1.jpg



  • This post is deleted!


  • I just killed all my VPN traffic off to test this. The firewall seems to initiate the state and when that happens the connection opens up.

    Go to status/openvpn and stop the service. Then go to diagnostic/states and kill the states.

    Go back to openvpn and restart the service.



  • @chpalmer thanks! it worked as you described!

    however, in the event of a reboot, do you know how would i prevent this issue from happening? (i'm assuming it's the order things are loaded, first vpn then filters... if that even makes sense)



  • @thenmanbr said in pfsense bypasses firewall rule:

    @chpalmer
    however, in the event of a reboot, do you know how would i prevent this issue from happening? (i'm assuming it's the order things are loaded, first vpn then filters... if that even makes sense)

    I do not.. I comes as a little bit of a surprise to me as well. I use separate VPN servers for each of my tunnels and Im the only road warrior connection here. If I was to stop a connection to a site I would first go to that site and delete the client.

    Can you try a "reject rule" and see if that does it?..


Log in to reply