Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Appear to have two interfaces listed under firewall rules when I only have 1 openvpn configured?

    Scheduled Pinned Locked Moved Firewalling
    21 Posts 4 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      andrewglass3
      last edited by

      Morning all

      I think I might have an issue with my firewall and hoped you could give me some advice please?

      Under firewall > Rules I appear to have 2 openvpn interfaces listed however I only have 1 openvpn instance configured and wonder if someone could help me either remove the wrong entry or advise on why I see this please?

      I have attached the screen shot to show the above.

      image (12).png

      Thank you for your help with this.

      Cheers

      Andy

      1 Reply Last reply Reply Quote 0
      • V
        viragomann
        last edited by

        "OpenVPN" is an interface group covering all OpenVPN instances you're running. The tab is added by pfSense automatically as soon as you set up your first OpenVPN instance, either a server or a client.

        The "OPENVPN" interface may have been assigned by yourself, I assume.
        It's even not a good idea to give it such a universal name.

        1 Reply Last reply Reply Quote 1
        • bingo600B
          bingo600
          last edited by

          AFAIK the pfSense generated interface has precedence on all OpenVPN instances.

          Do not put any rules there (unless you know what you are doing) , if you want to use the "Own asigned" interfaces.

          /Bingo

          If you find my answer useful - Please give the post a šŸ‘ - "thumbs up"

          pfSense+ 23.05.1 (ZFS)

          QOTOM-Q355G4 Quad Lan.
          CPUĀ  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
          LANĀ  : 4 x Intel 211, DiskĀ  : 240G SAMSUNG MZ7L3240HCHQ SSD

          V 1 Reply Last reply Reply Quote 1
          • V
            viragomann @bingo600
            last edited by viragomann

            @bingo600 said in Appear to have two interfaces listed under firewall rules when I only have 1 openvpn configured?:

            AFAIK the pfSense generated interface has precedence on all OpenVPN instances.

            Yeah, as I said, it's an implicit interface group and rules on interface groups have generelly precedence over rules on interface tabs: https://pfsense-docs.readthedocs.io/en/latest/firewall/firewall-rule-processing-order.html

            bingo600B 1 Reply Last reply Reply Quote 1
            • bingo600B
              bingo600 @viragomann
              last edited by

              @viragomann
              I have yet to use IF groups.

              Thanx for the precedence link.

              /Bingo

              If you find my answer useful - Please give the post a šŸ‘ - "thumbs up"

              pfSense+ 23.05.1 (ZFS)

              QOTOM-Q355G4 Quad Lan.
              CPUĀ  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
              LANĀ  : 4 x Intel 211, DiskĀ  : 240G SAMSUNG MZ7L3240HCHQ SSD

              1 Reply Last reply Reply Quote 0
              • A
                andrewglass3
                last edited by

                Hi

                Thank you for your quick replies - Im new to pfsense hence my lack of understanding. Im really sorry but Im still confused. How do I get rid of the one I shouldnt have there?

                bingo600B V 2 Replies Last reply Reply Quote 0
                • A
                  andrewglass3
                  last edited by

                  If it helps there are no interfaces assigned under interface groups??
                  dddf57e5-2faa-416b-a179-3ecaebd34d7b-image.png

                  1 Reply Last reply Reply Quote 0
                  • bingo600B
                    bingo600 @andrewglass3
                    last edited by

                    @andrewglass3

                    Easy - you leave the pfSense generated OpenVPN interface untouched.
                    And you rename your own named: OPENVPN interface, to something that does not resemble the pfSense generated interface-group name (that you can't get rid of)

                    /Bingo

                    If you find my answer useful - Please give the post a šŸ‘ - "thumbs up"

                    pfSense+ 23.05.1 (ZFS)

                    QOTOM-Q355G4 Quad Lan.
                    CPUĀ  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
                    LANĀ  : 4 x Intel 211, DiskĀ  : 240G SAMSUNG MZ7L3240HCHQ SSD

                    1 Reply Last reply Reply Quote 1
                    • A
                      andrewglass3
                      last edited by

                      I have openvpn confirued as a client btw connecting out - I have no local Openvpn servers running on pfsense

                      V 1 Reply Last reply Reply Quote 0
                      • V
                        viragomann @andrewglass3
                        last edited by

                        @andrewglass3
                        Now, have you assigned "OPENVPN" manually?
                        There are situations where an explicit interface for on OpenVPN instance is needed.

                        The interface group "OpenVPN" is implicitly added by pfSense, as mentioned above, and cannot be removed.

                        bingo600B 1 Reply Last reply Reply Quote 1
                        • V
                          viragomann @andrewglass3
                          last edited by

                          @andrewglass3 said in Appear to have two interfaces listed under firewall rules when I only have 1 openvpn configured?:

                          I have openvpn confirued as a client btw connecting out - I have no local Openvpn servers running on pfsense

                          If you do policy routing, you will need the manually assigned interface. If you want to route the whole upstream traffic over the VPN it's not needed.

                          1 Reply Last reply Reply Quote 1
                          • bingo600B
                            bingo600 @viragomann
                            last edited by

                            @viragomann said in Appear to have two interfaces listed under firewall rules when I only have 1 openvpn configured?:

                            There are situations where an explicit interface for on OpenVPN instance is needed.

                            I'm always using explicit interfaces, both on L2L and RoadWarrior
                            I think it makes it easier to do specific rules for the setup.

                            /Bingo

                            If you find my answer useful - Please give the post a šŸ‘ - "thumbs up"

                            pfSense+ 23.05.1 (ZFS)

                            QOTOM-Q355G4 Quad Lan.
                            CPUĀ  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
                            LANĀ  : 4 x Intel 211, DiskĀ  : 240G SAMSUNG MZ7L3240HCHQ SSD

                            1 Reply Last reply Reply Quote 1
                            • A
                              andrewglass3
                              last edited by andrewglass3

                              So under Status/Interfaces I can see this:

                              e186a7cd-6162-4142-b64a-526a48094b01-image.png

                              Under Interfaces / Interface Assignments I see this:

                              c7043dba-7830-417f-97b1-9aaf64d20d30-image.png

                              If I click on the Openvpn name on the list to the left of the drop down boxes I see this:

                              3eedf990-0741-443b-a3f3-a45af2c8176d-image.png

                              Are you saying that pfsense will implicitly name an interface tab under firewall rules as seen here in the VPN section as a general interface firewall tab for all listed clients under it?

                              0a3f17e9-bd89-4424-a2a1-ad85a02ccbbc-image.png

                              I wonder if that other one, OPENVPN is from another vpn tunnel that I connected to try and outbound nat specific vlan traffic down it. but then deleted as my system went very slow and laggy..hmm

                              Sorry for the ramblings - like I say this is new to me - very different to my edgerouter 4 Ive moved over from.

                              Cheers

                              Andy

                              V 1 Reply Last reply Reply Quote 0
                              • V
                                viragomann @andrewglass3
                                last edited by

                                @andrewglass3 said in Appear to have two interfaces listed under firewall rules when I only have 1 openvpn configured?:

                                I wonder if that other one,

                                No. On the firewall rule page all interfaces are shown in upper case, while the OpenVPN interface group is in upper / lower case.

                                It's recommended to change the name of the OPENVPN, you have assigned manually, to avoid confusion.

                                A 1 Reply Last reply Reply Quote 0
                                • A
                                  andrewglass3 @viragomann
                                  last edited by

                                  @viragomann Thanks for your help - Where would i do that? Under what section?

                                  1 Reply Last reply Reply Quote 0
                                  • A
                                    andrewglass3
                                    last edited by andrewglass3

                                    When I click on the dropdown for interfaces at the top I see this:

                                    4c3513d1-05e5-426b-bff0-df7da8edcc2f-image.png

                                    When I click on the uppercase OPENVPN in that said dropdown I see this:

                                    80d1b93c-33ac-469d-a589-c171ff0fcaf5-image.png

                                    Confused lol

                                    1 Reply Last reply Reply Quote 0
                                    • A
                                      andrewglass3
                                      last edited by

                                      Ah got it :)

                                      1 Reply Last reply Reply Quote 0
                                      • A
                                        andrewglass3
                                        last edited by

                                        So what confuses me then is you can name the interface that relates to the ovpnc1 adaptor. Is this really needed as it doesnt show in any interface groups. Or would you only assign ovpnc1 to an interface name if you wanted to do policy based routing and outbound NAT?

                                        V 1 Reply Last reply Reply Quote 0
                                        • V
                                          viragomann @andrewglass3
                                          last edited by

                                          @andrewglass3 said in Appear to have two interfaces listed under firewall rules when I only have 1 openvpn configured?:

                                          So what confuses me then is you can name the interface that relates to the ovpnc1 adaptor. Is this really needed as it doesnt show in any interface groups.

                                          The ovpnc1 is ever a part of the OpenVPN group, even if it's not displayed.

                                          Assigning interfaces to OpenVPN instances is primarily needed for policy routing and for special routing back of response packets to a specific OpenVPN gateway (reply-to).

                                          In your case you will have to add an outbound NAT rule for the OpenVPN instance, however, this will also work by using the OpenVPN interface group. But you have to consider that this rule bear on all OpenVPN instances after.

                                          1 Reply Last reply Reply Quote 1
                                          • JeGrJ
                                            JeGr LAYER 8 Moderator
                                            last edited by JeGr

                                            @viragomann said in Appear to have two interfaces listed under firewall rules when I only have 1 openvpn configured?:

                                            So what confuses me then is you can name the interface that relates to the ovpnc1 adaptor. Is this really needed as it doesnt show in any interface groups.

                                            Because it is NOT a manually added interface group but an automatically generated Group Tab - same as if you create an IPSec tunnel or dial-in connection, a IPSec Tab will show up that is an interface group over all IPSec connections you have.

                                            You can manually add interfaces to interface groups -> those will show up as separate tabs with the defined name as well - and will be listed under interface groups as you manually added them. "IPsec" and "OpenVPN" (watch the upper/lowercase) are automatically created interface groups that will pop into existence as soon as one interface of their type is in created and in use. :)

                                            For all other details check out the link @viragomann gave you and read up on interface groups and handling :)

                                            Don't forget to upvote šŸ‘ those who kindly offered their time and brainpower to help you!

                                            If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

                                            1 Reply Last reply Reply Quote 1
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.