What FW Rule do I need to allow users internet access?
-
How do I allow a client access to the internet when they are connected to the VPN? I have a rule allowing them to hit the DNS servers, but any rule I make allowing the traffic to WAN NET or WAN address all fail. I dont want to put in a default allow rule to allow any traffic anywhere on my network.
What am I missing?
-
@behemyth
WAN address is only the WAN IP and WAN net it's subnet. Access to any of them is not what you want for the VPN client.
If you want to prohibit access to your local network, you can either add a block rule with your internal network as destination above of the pass rule or exclude your internal network from the pass rule. The latter can be done by checking "invert" at destination and enter your local subnets.In both cases if you have multiple internal subnets you should add them to an alias and use this one in the destination section of the rule.
It's generally a good advice to have an alias including all RFC1918 networks. So you can use this one to ensure that the rule includes all internal networks.If you use the pass rule, consider to put it below the allow-DNS rule.
-
@behemyth said in What FW Rule do I need to allow users internet access?:
How do I allow a client access to the internet when they are connected to the VPN? I have a rule allowing them to hit the DNS servers, but any rule I make allowing the traffic to WAN NET or WAN address all fail. I dont want to put in a default allow rule to allow any traffic anywhere on my network.
What am I missing?
There are a few different ways to do it:
One option:
- Pass - Tunnel Network/DNS server Alias
- Block - Tunnel Network/LAN net (or alias for multiple networks)
- Pass - Tunnel Network/any
Another option:
- Pass - Tunnel Network/DNS server Alias
- Pass - Tunnel Network/Invert Match LAN net (or alias for multiple networks)
Also, considering there's no local access... unless there's a reason you want your clients using your DNS server(s), I would actually remove access to DNS altogether and push them Google DNS.