Solved - OpenVPN firewall rule precedence w. both /30 & /24 servers
I have had a OpenVPN setup with a Central pfSense & five OVPN servers running, conneting five different L2L connected pfSense Clients , using /30 connects nets , and having five /30 interfaces where i could do separate rules, for the L2L clients. This is running excellent.
Yesterday i created a new OVPN instance for roadwarriors , using a 10.129.x.x/24 as the client connect net.
Those connections are comming in on the "OpenVPN" interface.
If i permit any/any IPv4 on that interface all is ok.
If i introduce deny's on the "OpenVPN" interface. , i'm beginning to get strange deny's via OVPN. on the /30 L2L connections.
It seems like the /30 L2L data first passes the "OpenVPN" interface , and then (maybe) later the L2L /30 interfaces , is that correct ?
If i permit ie. all data comming from the L2L /30 interfaces on the "OpenVPN" interface.
Will I the data then "drop down" to the /30 L2L interface rules , where i can do further firewalling ?
Or will the data "not hit" the L2L /30 interface rules , if they get a "hit" on the "OpenVPN" interface ?
I hope i can "permit any !10.129.x.x/24" (everything not from roadwarriors) , on the "OpenVPN" interface , and then do further firewalling from the L2L /30 connected remote pfSense's on their respective /30 OVPN interfaces
Is that the way it works on the latest 2.4.4-RELEASE-p3
Pippin last edited by
The default OpenVPN tab applies to all OpenVPN instances.
Assign an interface and place your rules there.
That would be the excelllent solution
How do i assign an interface for my /24 roadwarrior's ?
Any hints would be appreciated
Is it "hiding" in the interfaces list as Ie. openvpns6 interface , where i can select it ?
I can't login to the server right now ?
That would be "elegant"
I got my Roarwarrior OpenVPN servers up & running.
And it was as easy/elegant as i hoped, after the answer above.
Just create the server , and "dig into" the available "unassigned" interfaces.
Enable and name it , and "voila" you have gotten an interface to make your rules on.
No need to have any rules at all under the "OpenVPN" interface.
Thanx for this feature Netgate
Edit: This page was inspirational