Firewall Rules are getting ignored - What am I missing?
-
Hello everyone,
I'm having a VPS Server hosted on a datacenter. To have a secure connection to this server (sharing logs to graylog i.E.) I wanted to setup my pfSense to connect to this VPN Server.
Everything is working great. On my VPS I created the VPN Server with that script: https://markontech.com/sysadmin/install-openvpn-server-on-debian-10-11/ (just changed 10. 8.0 to 172.45.0 because I'm already 10.8.0 somewhere else). Then altered the config to have another IP adress:
auto eno0:1 iface eno0:1 inet static address 172.50.0.1 netmask 255.255.255.0
Which means thats the settings ov /etc/openvpn/server.conf:
port 1194 proto udp dev tun user nobody group nogroup persist-key persist-tun keepalive 10 120 topology subnet server 172.45.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" push "redirect-gateway def1 bypass-dhcp" push "route 172.50.0.0 255.255.255.0" dh none ecdh-curve prime256v1 tls-crypt tls-crypt.key crl-verify crl.pem ca ca.crt cert server_c5oXyMh8FitcTXD1.crt key server_c5oXyMh8FitcTXD1.key auth SHA256 cipher AES-128-GCM ncp-ciphers AES-128-GCM tls-server tls-version-min 1.2 tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 client-config-dir /etc/openvpn/ccd route 192.168.0.0 255.255.255.0 status /var/log/openvpn/status.log verb 3
/etc/openvpn/ccd/pfSense is filled with this:
ifconfig-push 172.45.0.20 255.255.255.0 iroute 192.168.0.0 255.255.255.0
Following is setup on pfSense:
Whats suprising me is, that blocking firewall rules are getting ignored! What I wanted is, that every connection from home to vps is allowed, and every connection from vps to my homenetwork is blocked except two Ports for logging and monitoring. So I set the floating rule
You can see I got a couple of more Side to sides, where it's working. But in this constallation not. Did I miss something?
Thanks in advance!
Cheers,
Gamie -
172.45.0.0/24, 172.50.0.0/24, 172.40.0.0/24
You are using public IP space, RFC1918 is 172.16.0.0/12 (172.16.0.0 to 172.31.255.255).-Rico
-
@rico Oh my God
You're right!! Now I'm embarresed . I change that as Quick as possible
But that cant be the reason of the ignored rules, right?
-
Heyho,
after a lot of digging in my states I found the solution.Just a update: The VPN Transfernetwork is 192.168.2.0/24 and the virtual NIC on the server got 192.168.10.2/24. After letting a ping happen I saw the state:
192.168.2.1 -> 192.168.0.1
and then it clicked! In this cases it sees teh connection from the transfer net, not the virtual IP. Buildung the correct Floating rules made everything happen like I want it.
But thanks again for the hint with RFC1918! I was soo deep in the subnetting, that I overlooked that :(