Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN Interface "net" not correct - bug?

    Scheduled Pinned Locked Moved Firewalling
    1 Posts 1 Posters 241 Views 1 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A Offline
      airforceixi
      last edited by

      Ran into an interesting situation today. I can't tell if this is expected behavior or if it's a bug. If this is in the wrong section, please move. Although I feel this teeters between multiple sections.

      When creating a firewall rule for an OpenVPN interface, selecting the "[INTERFACE] net" as the source or destination results in it providing only the interface's address, not the subnet. This is only the case when the OpenVPN server or client is configured as Peer to Peer. Remote Access will properly provide the entire tunnel subnet. I can confirm this in the rules in the console by running pfctl -sr.

      Example tunnel subnet: 172.16.203.0/30
      In Peer to Peer mode: pass in quick on ovpns5 reply-to (ovpns5 172.16.203.2) inet from 172.16.203.1 to any flags S/SA keep state label "USER_RULE: TESTRULE" label "id:1666896074" ridentifier 1666896074
      In Remote Access mode: pass in quick on ovpns5 reply-to (ovpns5 172.16.203.2) inet from 172.16.203.0/30 to any flags S/SA keep state label "USER_RULE: TESTRULE" label "id:1666896074" ridentifier 1666896074

      I'm running pfSense Plus 22.05 but also discovered this on 22.01. Is this a bug? If it is I'll see if I can submit it to Redmine. If it's not, I'm interested in the logic behind this decision.

      Thanks!

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.