Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    RC1 blocks all openvpn traffic

    Scheduled Pinned Locked Moved Firewalling
    7 Posts 5 Posters 3.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      paulpach
      last edited by

      Hi, we just updated pfsense in our router to RC1, now the firewall blocks everything from TUN0. The openvpn connection is established with no problems, but if I try to ping or ssh into one of the machines behind the firewall, it blocks it.

      I know it is the firewall because I am looking at the firewall log in the webui, and I can see all my traffic being blocked.

      If I try to add a rule to the firewall (web ui) to let stuff from openvpn through, there is no option for it, only "wan, lan, pptp and pppoe".

      Please help, how do I tell the firewall not to block openvpn?

      1 Reply Last reply Reply Quote 0
      • S
        sullrich
        last edited by

        From a shell run:

        cvs_sync.sh releng_1

        1 Reply Last reply Reply Quote 0
        • E
          ecce
          last edited by

          Hi,

          I've had exactly the opposite problem.

          I have RC1a installed on my box and was used to create firewall rules for OpenVPN on tunX interfaces.
          So I just restored the backup XML file from the BETA4 release and everything - except OpenVPN - was configured as before.
          OK, so I reconfigured OpenVPN as a server, found tun0 in "Assign interfaces", assigned it its previous name (TUN0) and voilà my firewall rules for TUN0 were there again.

          The only problem was that the rules didn't work - I had a "Block outbound netbios traffic" rule.
          After some searching I found the following passage in filter.inc which I had to comment out in order to get my rules working:

          
	update_filter_reload_status("Setting up tun interfaces (openvpn)");
	/* openvpn tun interfaces.  check for 100\. */
	for($x=0; $x<100; $x++) {
		if(does_interface_exist("tun{$x}") == true) { 
			$rule .="pass out quick on tun{$x} all keep state label \"let out anything from firewall host itself openvpn\"\n";
			$rule .="pass in quick on tun{$x} all keep state label \"let out anything from firewall host itself openvpn\"\n";
		}
	}

	return $rule;

          I would suggest to insert something like a "Check this to allow all OpenVPN traffic" on the OpenVPN configuration page which is enabled by default and just toggles the above code on or off so users wanting more control could just get it.

          Regards,
          Marc

          ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
                                        murphy's rule: "there is always one error left."
          ~~(¸¸ ¸¸ºº> ___________________________________________________.·'´¯)~
          ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

          1 Reply Last reply Reply Quote 0
          • E
            ecce
            last edited by

            :o
            Oops! Found a very dramatic error in my previous post!

            You will have to leave the```
            return $rule;

            
Murphy's calling me… ;D

Marc

            ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
                                          murphy's rule: "there is always one error left."
            ~~(¸¸ ¸¸ºº> ___________________________________________________.·'´¯)~
            ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

            1 Reply Last reply Reply Quote 0
            • A
              Always
              last edited by

              @sullrich:

              From a shell run:

              cvs_sync.sh releng_1

              Is it possible to make an up to date CF image for embedded systems with the latest Releng1 code?

              Thanks

              1 Reply Last reply Reply Quote 0
              • H
                hoba
                last edited by

                http://pfsense.com/~sullrich/RELENG_1_SNAPSHOT-07-12-2006/

                1 Reply Last reply Reply Quote 0
                • A
                  Always
                  last edited by

                  Many thanks.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.