LAN to local server rule?
-
Could be a stupid question, but is it necessary to have a rule to allow traffic from LAN to local server? Local means it resides on the same pfSense router.
Everything works for me for a long time - a few servers, remote subnets, etc. I just realyzed that I do not have an explicit rule on LAN that allows traffic from LAN to the local server(s) itself and further.
I do haveDefault allow LAN to any rulebut the Gateway is set to a specific WAN group, not an asterisk. -
@andrewz said in LAN to local server rule?:
to allow traffic from LAN to local server?
Is the local server in LAN too? Then you don't need any rule, because they can talk to each other via a switch, no firewall between them.
-
@bob-dig
no, my question was not that stupid ;)
I'm talking about the server that seats on the same pfSense router and have its own interface there, so from my perspective there is a firewall between LAN and ovpns1. -
@andrewz It depends, for access to your LAN from the OVPN Server, you need to have a rule on the general OVPN tab or on a specific OVPN Interface to allow this.
-
@bob-dig said in LAN to local server rule?:
for access to your LAN from the OVPN Server,
I'm talking about the opposite.
-
@andrewz said in LAN to local server rule?:
but the Gateway is set to a specific WAN group, not an asterisk.
Then no you wouldn't have access to say vpn clients, or site to site vpn connection or really any other.. Since you are policy routing and forcing all traffic out your gateway. Anything not reachable via that gateway would not be reachable.
https://docs.netgate.com/pfsense/en/latest/multiwan/policy-route.html#bypassing-policy-routing
-
@johnpoz
the problem that I do have access to site-to-site without any explicit rule.
Only when I disabled the following rule the remote VPN site became unreachable for my PC in LAN:
Edit: I thought that I may need to follow Assigning OpenVPN Interfaces but that does not seem be a solution - I still have remote site reachable without explicit rule for that. I have VPN servers bound to WAN (by default) and I cannot change WAN to VPN_s2s - the name I created as OpenVPN Interface. Not sure that is needed at all.
-
Dude I have no idea what your actually doing with 1 rule.. And talking of this or that - but no drawing or IP ranges..
Read the guide I linked to if your going to policy route... If you want to get to xyz, where your shoving traffic out a specific gateway - that gateway has to be able to get there, or there needs to be a rule above it that allows the traffic that either shoves it out the correct gateway or allows pfsense to use its routing table via no gateway being set on the rule.
-
Solved by checking Disable Negate rules
-
@andrewz said in LAN to local server rule?:
Disable Negate rules
NOT the correct way to do it.. but OK.
"With Multi-WAN it is generally desired to ensure traffic reaches directly connected networks and VPN networks when using policy routing. This can be disabled for special purposes but it requires manually creating rules for these networks."
-
@johnpoz said in LAN to local server rule?:
NOT the correct way to do it.. but OK.
then please propose the better one
Prior to change I identified the passing rule:
192.168.5.0/24 is LAN, 192.168.101.0/24 is a subnet on the other site.
VPN_S2S is the interface added for ovpnsX according to Assigning OpenVPN Interfaces in the doc.I see my current configuration to be inline with this Tip from the docs:
"The best practice is to create manual negation rules at the top of internal interfaces such as LAN. These rules should pass to local and VPN destinations without a gateway set on the rule, to honor the system routing table. "
