Solved - OpenVPN firewall rule precedence w. both /30 & /24 servers

  • Gents

    I have had a OpenVPN setup with a Central pfSense & five OVPN servers running, conneting five different L2L connected pfSense Clients , using /30 connects nets , and having five /30 interfaces where i could do separate rules, for the L2L clients. This is running excellent.

    Yesterday i created a new OVPN instance for roadwarriors , using a 10.129.x.x/24 as the client connect net.

    Those connections are comming in on the "OpenVPN" interface.
    If i permit any/any IPv4 on that interface all is ok.

    If i introduce deny's on the "OpenVPN" interface. , i'm beginning to get strange deny's via OVPN. on the /30 L2L connections.

    It seems like the /30 L2L data first passes the "OpenVPN" interface , and then (maybe) later the L2L /30 interfaces , is that correct ?

    If i permit ie. all data comming from the L2L /30 interfaces on the "OpenVPN" interface.
    Will I the data then "drop down" to the /30 L2L interface rules , where i can do further firewalling ?

    Or will the data "not hit" the L2L /30 interface rules , if they get a "hit" on the "OpenVPN" interface ?

    I hope i can "permit any !10.129.x.x/24" (everything not from roadwarriors) , on the "OpenVPN" interface , and then do further firewalling from the L2L /30 connected remote pfSense's on their respective /30 OVPN interfaces

    Is that the way it works on the latest 2.4.4-RELEASE-p3


  • The default OpenVPN tab applies to all OpenVPN instances.
    Assign an interface and place your rules there.

  • That would be the excelllent solution
    How do i assign an interface for my /24 roadwarrior's ?

    Any hints would be appreciated

    Ahh ...
    Is it "hiding" in the interfaces list as Ie. openvpns6 interface , where i can select it ?
    I can't login to the server right now ?

    That would be "elegant"


  • I got my Roarwarrior OpenVPN servers up & running.
    And it was as easy/elegant as i hoped, after the answer above.

    Just create the server , and "dig into" the available "unassigned" interfaces.
    Enable and name it , and "voila" you have gotten an interface to make your rules on.

    No need to have any rules at all under the "OpenVPN" interface.

    Thanx for this feature Netgate


    Edit: This page was inspirational

Log in to reply