Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    "This firewall" LDAP FW Rule Out on Split Tunnels

    Scheduled Pinned Locked Moved Firewalling
    6 Posts 2 Posters 817 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • ToTalChaos1010T Offline
      ToTalChaos1010
      last edited by

      I have 5 interfaces, 1 WAN, 1 LAN, and 3 VPN (in a routing group). I want User Manager to utilize JumpCloud LDAP (previously configured and working) for logins. Seems JumpCloud has changed to AWS, and It no longer works over VPN.

      How would I bypass port 636 on the 3 VPN interfaces out only use the WAN? Floating Rules, LAN Rules, multiple rules to the VPN interfaces, all will not work. When I disable the 3 VPNs, it all works flawlessly. When I enable, the port 636 traffic seems to go to the 3 VPNs. I've even went as far as creating a floating rule allowing all out - on the VPN interfaces only, to no avail.

      Just want the router to send port 636 from itself (not the LAN) over the WAN. So frustrating. LAN was simple.

      V 1 Reply Last reply Reply Quote 0
      • V Offline
        viragomann @ToTalChaos1010
        last edited by

        @totalchaos1010
        So I assume, the gateway group is your default route.

        If you want pfSense to go out another gateway then the default, add a static route for the destination address.

        ToTalChaos1010T 1 Reply Last reply Reply Quote 0
        • ToTalChaos1010T Offline
          ToTalChaos1010 @viragomann
          last edited by

          @viragomann Thanks for the reply, A logical resolution indeed, but that is a little difficult since we are asking bout AWS here and a good 4000 IP addresses. I already have the block downloaded into pfBlocker, in my earlier attempts. But I cannot set a static route to 4000 IP addresses, and aliases are not avail in that scenario.

          I am used to bypassing VPN's and using outgoing WAN no problem, but how does one do Split tunnels from the firewall itself? So baffling.

          V 1 Reply Last reply Reply Quote 0
          • V Offline
            viragomann @ToTalChaos1010
            last edited by

            @totalchaos1010
            I see. I was thinking about a static IP for the service.

            pfSense uses the routing table for outbound traffic.
            Maybe you can policy route the traffic by a 'Quick' floating rule assigned to all VPN interfaces for direction 'out' from source 'this firewall' and destination port 636, but I've never done something like this.

            Otherwise the only option might be to policy route all the other traffic over the VPNs.

            ToTalChaos1010T 1 Reply Last reply Reply Quote 0
            • ToTalChaos1010T Offline
              ToTalChaos1010 @viragomann
              last edited by

              @viragomann We think alike, and that is exactly what I did. Floating rule, quick, selected the VPN interfaces, out, port any, dest port 636 IP any, etc etc. Sent the rule to the top. States showed traffic when ldap test was performed in user manager, as it once again fails because the outgoing interface is a VPN interface.

              Was thinking creating a port alias, and bypassing that alias in LAN but the traffic never hits the LAN interface. It's coming direct from pfSense.

              1 Reply Last reply Reply Quote 0
              • ToTalChaos1010T Offline
                ToTalChaos1010
                last edited by

                Solution: Grabbed a few IP's to the ldap server, created a host override in DNS resolver, and added a static route over the WAN to these IPs. Worked like a charm.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.