IPSEC/OpenVPN disregards firewall rules



  • Hi all. I am missing something here. I'm not shall we say well versed with pfsense since I set something up and it just works. No need to fiddle.

    I have a couple of ipsec tunnels to other sites and openvpn for laptops plus a raspberry on a gsm stick in my summer house. All working just fine.

    I logged into my 'summer house' today and figuring it was unnecessary to give it full access to my network due to it having a known vulnerability in its USB modem that I can't fix, I decided to block all but mqtt into my network.

    Here is what I seem to misunderstand and need help:

    I can't block traffic from openvpn. My only rule in 'firewall/openvpn' is block all. Still I can ping remote. I blocked all from openvpn virtual network to lan, can still log in. I remember the first VPN I set up many years ago I did the opposite, could not get it to work because I missed the firewall/ipsec rule.

    I also tried to block all my ipsec tunnels, but I can still get traffic through.

    What am i misunderstanding?
    pfsense 2.4.4-RELEASE-p3 (amd64)

    Thanks in advance.
    //Peter


  • LAYER 8 Netgate

    The rules on OpenVPN block connections into your firewall, not out of it.



  • Oh, doh, right. When I ping the vpn client the traffic is allowed by my LAN rule and not subject to that ruleset, return traffic I assume is allowed because there is a state established. I see now that the remotes can not initiate traffic if I place rules in 'openvpn'. Thanks.


Log in to reply