Firewall traffic between S2S?
-
I have an OpenVPN S2S setup between Site A [10.1.0.0/16] and Site B [10.2.0.0/16] with the S2S Interface on 10.255.0.0/24. Right now, I have everything working and traffic flowing great between the sites. The S2S is over L3 tun.
However, for security reasons, I want to "Block All" traffic from Site B into Site A and only allow specific traffic by firewall rules. So far, I'm not having any luck at all with the "Block All" rules and it just passes all traffic through no matter what I tried.
I've tried adding the following Block All rules to my WAN, LAN, and S2S interfaces to no avail:
Source = 10.2.0.0/16 Destination = *
and
Source = 10.255.0.0/24 Destination = *
Neither of these rules seem to be catching any packets at all, looking at the stats next to the rules, which has me quite confused. Does anyone have any insights on how to firewall traffic between OpenVPN S2S?
-
Firewall Rules for OpenVPN in pfSense work just as for any other Interface, so you must have something wrong in your config.
Common mistake is to add Rules to the assigned OpenVPN Interface but have other rules like any-any in the OpenVPN group tab. Group tabs are processed before Interface tabs.-Rico
-
Thanks Rico, that actually helped a lot. I didn't realize the "OpenVPN" tab on the Firewall Rules section was an interface group and that those rules applied before individual interfaces. I had a Pass-All rule still lingering there as a remnant of using the Wizard for Remote Access too. Removing that rule did the trick and now I am able to set firewalls as normal on the Interface Group!
-
Glad you have it working now.
-Rico