Limit access to (Open)VPN + Outbound NAT
-
Hello,
I have a pretty straight forward scenario where my LAN connects to remote hosts and network (±100 routes) via a S2S OpenVPN (pfSense is the client).
| LAN | ——> | PFSENSE | ——> | OPENVPN |
I’m trying to limit access from LAN to the VPN (remote networks) using a FW rule and allow access only from specific hosts, but I can’t find the right combination. I tried to create a blocking in/out rule on the LAN interface, VPN interface and also a floating rule.
There’s of course no point to create an “in” rule on the OVPN interface, but I desperately tried it anyway. I think the right rule would be either a floating “out” one attached to the OVPN interface or a LAN “in” rule allowing a specific source and then dropping anything else.
Such rules, drop the access to the VPN completely. I reviewed logs and states, and then realized that (outbound) NAT is processed before FW. That basically blocks my tunnel IP address (at least it seems so).
What would be the best way to limit the access from LAN to OVPN just to a few hosts?
-
@mgi
Assuming you have still the default LAN allow-any-to-any rule in place, I would block the desired parts LAN this way:Create an IP alias and add all LAN IPs to it, which you want permit access to the remote site.
Then add a block rule to the top of the LAN rule set and state this alias as source with invert checked. At destination state the remote network (or an alias with all networks included that you route to the remote site in the VPN settings).
This means then, all IPs not contained in the source alias are blocked. The allow-any-to-any will pass the rest. -
Thanks for coming back.
That was one of the approaches I tried, but it didn't work. The access to the VPN was blocked.
Anyway, I scrapped everything and started from scratch. I created a block rule attached to the LAN where the src is an inverted list of a few hosts, and the destination is a list of hosts and networks routed via the VPN. This time, everything works great, and the access is allowed/blocked as it should be.
I'm not aware of doing any wrong before, so I'm not sure why that didn't work. Maybe I just did something foolish that I didn't spot.
I was hoping to cover this with a floating rule. That doesn't seem to be the option after reading about how the flow is processed in pfSense. I will have to replicate the rule across different interfaces.