Using Open VPN service on XG-7100, prevent LAN clients connecting

shapelytraffic

@JKnott you must have worked with any other kind of firewall that provides a VPN client (ex: SonicWall). In my experience, you don't have to roll your sleeves up to prevent LAN traffic from initiating the VPN. - you can't go in through the out door.

What I'm not understanding is why there isn't a prefab to do this?

shapelytraffic

I mean, if you go back to the first comments, it's clear that there was a misunderstanding. One which was not admitted to.

JKnott

@shapelytraffic

Is that SonicWall just a firewall? Or firewall/router? Entirely different devices. The purpose of a router is to route packets from one network to another. PfSense does that, but also has filtering so that it can be used as a firewall. Since the LAN and WAN are different networks, pfSense routes the packets. It makes no difference what the address is, if it's on the WAN interface, it gets routed in that direction, just as would a packet for the ISPs gateway. Then there's the added factor in that the WAN address is one of at least two valid addresses for the pfSense box. You're asking for something extra to block that VPN connection and that is a rule on the LAN interface. Also, think of other things that you might want to do. For example, in testing, you may want to use a specific interface, to ensure routing is working. So, from the LAN, you could ping the WAN address to verify it works. Or you could tell it to ping from a specific interface out onto the LAN. If you ping from the WAN, the replies have to be able to come back. Again, you have to configure what you want with the rules. That's what they're there for.

shapelytraffic

This post is deleted!

stephenw10

There is usually no reason to block clients connecting a VPN from an internal interface. If that have access to the VPN then it's not a security issue anyway. At worst it might cause routing issues for clients who accidentally connect to the VPN when they are on the internal subnet.
If you don't want to ever happen for some reason you can make a floating reject rule with destination WAN address and port the VPN port and apply that to all the interfaces you want it on.

Steve

shapelytraffic

@stephenw10 thanks for an easy answer. :D

Derelict

This post is deleted!

Pelispedia

This post is deleted!