Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Solved - OpenVPN firewall rule precedence w. both /30 & /24 servers

    Scheduled Pinned Locked Moved OpenVPN
    4 Posts 2 Posters 428 Views 1 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • bingo600B Offline
      bingo600
      last edited by bingo600

      Gents

      I have had a OpenVPN setup with a Central pfSense & five OVPN servers running, conneting five different L2L connected pfSense Clients , using /30 connects nets , and having five /30 interfaces where i could do separate rules, for the L2L clients. This is running excellent.

      Yesterday i created a new OVPN instance for roadwarriors , using a 10.129.x.x/24 as the client connect net.

      Those connections are comming in on the "OpenVPN" interface.
      If i permit any/any IPv4 on that interface all is ok.

      If i introduce deny's on the "OpenVPN" interface. , i'm beginning to get strange deny's via OVPN. on the /30 L2L connections.

      It seems like the /30 L2L data first passes the "OpenVPN" interface , and then (maybe) later the L2L /30 interfaces , is that correct ?

      If i permit ie. all data comming from the L2L /30 interfaces on the "OpenVPN" interface.
      Will I the data then "drop down" to the /30 L2L interface rules , where i can do further firewalling ?

      Or will the data "not hit" the L2L /30 interface rules , if they get a "hit" on the "OpenVPN" interface ?

      I hope i can "permit any !10.129.x.x/24" (everything not from roadwarriors) , on the "OpenVPN" interface , and then do further firewalling from the L2L /30 connected remote pfSense's on their respective /30 OVPN interfaces

      Is that the way it works on the latest 2.4.4-RELEASE-p3

      /Bingo

      If you find my answer useful - Please give the post a šŸ‘ - "thumbs up"

      pfSense+ 23.05.1 (ZFS)

      QOTOM-Q355G4 Quad Lan.
      CPUĀ  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
      LANĀ  : 4 x Intel 211, DiskĀ  : 240G SAMSUNG MZ7L3240HCHQ SSD

      1 Reply Last reply Reply Quote 0
      • PippinP Offline
        Pippin
        last edited by

        The default OpenVPN tab applies to all OpenVPN instances.
        Assign an interface and place your rules there.

        I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
        Halton Arp

        1 Reply Last reply Reply Quote 0
        • bingo600B Offline
          bingo600
          last edited by bingo600

          That would be the excelllent solution
          How do i assign an interface for my /24 roadwarrior's ?

          Any hints would be appreciated

          Edit:
          Ahh ...
          Is it "hiding" in the interfaces list as Ie. openvpns6 interface , where i can select it ?
          I can't login to the server right now ?

          That would be "elegant"

          /Bingo
          /Bingo

          If you find my answer useful - Please give the post a šŸ‘ - "thumbs up"

          pfSense+ 23.05.1 (ZFS)

          QOTOM-Q355G4 Quad Lan.
          CPUĀ  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
          LANĀ  : 4 x Intel 211, DiskĀ  : 240G SAMSUNG MZ7L3240HCHQ SSD

          1 Reply Last reply Reply Quote 0
          • bingo600B Offline
            bingo600
            last edited by bingo600

            I got my Roarwarrior OpenVPN servers up & running.
            And it was as easy/elegant as i hoped, after the answer above.

            Just create the server , and "dig into" the available "unassigned" interfaces.
            Enable and name it , and "voila" you have gotten an interface to make your rules on.

            No need to have any rules at all under the "OpenVPN" interface.

            Thanx for this feature Netgate

            /Bingo

            Edit: This page was inspirational
            https://turbofuture.com/computers/How-to-Setup-a-Remote-Access-VPN-Using-pfSense-and-OpenVPN

            If you find my answer useful - Please give the post a šŸ‘ - "thumbs up"

            pfSense+ 23.05.1 (ZFS)

            QOTOM-Q355G4 Quad Lan.
            CPUĀ  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
            LANĀ  : 4 x Intel 211, DiskĀ  : 240G SAMSUNG MZ7L3240HCHQ SSD

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.