Firewall Rules for OpenVPN Tab versus Interface Rules

powerextreme · Aug 30, 2020, 4:23 PM

Hello,

Recently it became clear to me that I don't fully understand what is gained from creating an interface for an OpenVPN server or client server instances (network ports).

I have rules in the OpenVPN tab to control the traffic coming in and out of the servers.

Under Interfaces, if I wanted to create and interface for a OpenVPN server (network port) I have the option to select one and add the interface. What does this buy me?

One thing I have noticed is that with my SNORT service, OpenVPN isn't an interface for it to monitor. Is this one benefit?

viragomann · Aug 31, 2020, 9:11 AM

OpenVPN is an interface group including all OpenVPN instances you're running on pfSense, servers as well as clients.

You need to add a specific interface to an OpenVPN instance for special functions and tasks which should not be applied to all OpenVPN instances or where the interface group doesn't fit.

@powerextreme said in Firewall Rules for OpenVPN Tab versus Interface Rules:

One thing I have noticed is that with my SNORT service

Yes that's one. You also need specific interface for other services like DNS.

Also it is necessary for policy routing rules to direct traffic to a VPN gateway.

You also need to add an interface if you want to get benefit of the reply-to function in pfSense.

powerextreme · Aug 31, 2020, 9:42 AM

Thanks for the response. Which takes precedence?

A rule in the OpenVPN tab?
A rule in an interface created for an OpenVPN instance?

viragomann · Aug 31, 2020, 9:47 AM

Rule on an interface group have prio over these ones on interface tabs.

So if you assign an interface to an OpenVPN instance and add rule to it, you have to care that rule on the OpenVPN tab are not applied to the same traffic or remove all rules from it.

powerextreme · Sep 2, 2020, 12:29 AM

@viragomann
Thanks but I don't fully understand.

For example, if I added an interface to and had a rule to allow 'any <-> any' but had a deny all in the OpenVPN tab, which would take take preference?

Rico · Sep 2, 2020, 5:08 AM

deny all

-Rico

powerextreme · Sep 2, 2020, 10:47 AM

@Rico

Let me flip it. If I had an OpenVPN tab rule for 'any <-> any' and had the following interface rules

allow 'any' <-> IP1
deny 'any' <-> IP2

Would any traffic make it to IP2?

viragomann · Sep 2, 2020, 11:38 AM

@powerextreme
Yes. The conditions of the any to any rule on the OpenVPN tab will match the traffic and so the rule will be applied.

powerextreme · Sep 3, 2020, 7:16 PM

Re: Firewall Rules for OpenVPN Tab versus Interface Rules
@viragomann Thanks, so what is the point of having the interface? It seems like for now matter what OpenVPN instance I have I need to put the rules that affect that instance in OpenVPN tab.

Rico · Sep 3, 2020, 7:22 PM

https://docs.netgate.com/pfsense/en/latest/book/openvpn/assigning-openvpn-interfaces.html

-Rico

powerextreme · Sep 4, 2020, 11:18 PM

@Rico Thanks for the link! I don't know why I didn't go there first.