Pfblocker Permit Inbound Confusion

Tzvia

@blackops786187
But if I am reading it correctly, your LAN devices are, as far as PFSense is concerned, in the WAN. The VPN is not going to provide access to things in the WAN, from PFSense's perspective. It's for giving access to PFSense's LAN from the WAN. And you have nothing in the LAN, not even a ethernet port. No this is the wrong way to do things IMO. PFSense needs to be where your router is now. Your internal network needs to be on the LAN side. Router in bridge mode if the service permits it, OR worst case, PFSENSE in the router's DMZ with an internet IP on the WAN side, and all your internal items on the LAN side of PFSense.

I have both OpenVPN and IPSEC setup and yes I use them while on public wireless, even my phone using OpenVPN. No split tunnel, everything through my VPN encrypted and going OUT to the internet via my network/PFSense. I feel a little safer in public and can get to my NAS and servers if I need to. I used to run PFSense in a ESXI VM using two standard virtual 'switches' and two nics, one in the lan and the other in wan but now I am back to using a physical box.

Have you done any tests? Can you see anything?

johnpoz

So your wanting to just have pfsense wan in your routers lan - and use that for vpn access to stuff in your lan?

Hmmm - you would for sure have to source nat vpn traffic so it looks like its coming from pfsense wan IP for that to have any chance to work.

What are you outbound nat settings, what are you using for the tunnel network?

Lets forget any blocking for a second - does the vpn work? And your just wanting to limit who can talk to the vpn port? Ie you want only UK IPs to talk to it?

I would validate the vpn actually is working how you have it setup before you go to lock it down.

blackops786187

@johnpoz lol. Of course i made sure the vpn is functional before i considered locking it down. I can access the devices on my LAN without issue. Cant remember the exact tunnel network but its in the 10.x.x.x range. I've got the UK geoip whitelist working by using the alias native settings and choosing only the UK countries. I added that alias to the source of the OpenVPN rule and ive confirmed its working as intended

johnpoz

@blackops786187 said in Pfblocker Permit Inbound Confusion:

've got the UK geoip whitelist working by using the alias native settings and choosing only the UK countries. I added that alias to the source of the OpenVPN rule and ive confirmed its working as intended

That is how I would do it.. I use geoIP lists in pfblocker to limit could can talk my plex server for example.. And have the port different as well. To cut down on noise..