• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

openvpn connections block and allow specific rule

Scheduled Pinned Locked Moved General pfSense Questions
9 Posts 4 Posters 956 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • R
    rafaelvilelacosta94
    last edited by Dec 14, 2022, 9:00 PM

    I have a user authenticated by OPEN VPN on an OPENVPNserver with a specific tunnel for this guy.

    it only needs to be on the local network after connecting accessing a specific server on a specific port which is the database.

    How do I make the rule in PFSENSE to prevent this guy who is in this VPN tunnel from this server from being able to ping or give a // to the other local servers.

    I wanted to block everything from that source and accept only the connection on the port of the db in a server specific.

    is it possible to do that ???

    R 1 Reply Last reply Dec 14, 2022, 9:09 PM Reply Quote 0
    • R
      rafaelvilelacosta94 @rafaelvilelacosta94
      last edited by Dec 14, 2022, 9:09 PM

      @rafaelvilelacosta94 adding to make it clearer

      Next, I have the following problem.

      We had to release VPN access to a specific provider, we created an OPENVPN server for him
      local network 192.168.42.55/24 tunnel network 40.40.20.0/24

      this provider only needs access from this local network when logged into the vpn the DB server 192.168.42.55 on port 61433.

      However, as we provide him with the VPN, he is on the local network where the server is located.

      I wanted to know if it is possible for me to block all his traffic and create a specific rule only: RELEASE FOR HIM ONLY ACCESS TO THE SERVER 192.168.42.55 AT DOOR 61433

      This guy will probably use some tool to work in the Bank so he would basically use the vpn just to be able to see the server on the local network and point the tool at the db port.

      but I can't let him free to give a //, drip other things.

      it's possible ?

      R V 2 Replies Last reply Dec 14, 2022, 9:12 PM Reply Quote 0
      • R
        rafaelvilelacosta94 @rafaelvilelacosta94
        last edited by Dec 14, 2022, 9:12 PM

        @rafaelvilelacosta94 if I declare to drop without determining the origin the employees who are in another vpn server in another tunnel the rule will apply to them and drop everything, I need it to be just specific for this tunnel created for this guy's access.

        1 Reply Last reply Reply Quote 0
        • V
          viragomann @rafaelvilelacosta94
          last edited by Dec 14, 2022, 9:46 PM

          @rafaelvilelacosta94
          You can simply state the respective OpenVPN tunnel network as source in firewall pass rules on the OpenVPN tab for each server and allow destination IP and port as desired.

          R 1 Reply Last reply Dec 14, 2022, 9:59 PM Reply Quote 0
          • R
            rafaelvilelacosta94 @viragomann
            last edited by Dec 14, 2022, 9:59 PM

            @viragomann MicrosoftTeams-image (1).png ```
            code_text

            
            what is wrong?
            
            As I mentioned there are two different OPENVPN servers in my pfsense in different tunnels, but it seems that pfsense doesn't understand the rule.
            C 1 Reply Last reply Dec 14, 2022, 11:34 PM Reply Quote 0
            • C
              chpalmer @rafaelvilelacosta94
              last edited by chpalmer Dec 14, 2022, 11:37 PM Dec 14, 2022, 11:34 PM

              @rafaelvilelacosta94

              Is that his LAN address or his public address? Remember he is coming in through a tunnel.

              openvpn.jpg

              Triggering snowflakes one by one..
              Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

              R 1 Reply Last reply Dec 15, 2022, 1:38 AM Reply Quote 1
              • S
                stephenw10 Netgate Administrator
                last edited by Dec 15, 2022, 1:25 AM

                Remember the OpenVPN tab applies to all OpenVPN traffic so you need to tailor rules appropriately. If you assign the servers as interfaces you can apply rules to them separately.

                But that block rule is destination LAN address and it probably should be LAN net unless unless you only need to block access the pfSense LAN IP specifically.

                If that ping had already been running a state might have existed before you added the rule and would not have been cleared.

                Steve

                R 1 Reply Last reply Dec 15, 2022, 2:08 AM Reply Quote 2
                • R
                  rafaelvilelacosta94 @chpalmer
                  last edited by Dec 15, 2022, 1:38 AM

                  @chpalmer

                  192.168.42.0/24 LAN IP
                  40.40.20.0/24 TUNNEL NETWORK

                  1 Reply Last reply Reply Quote 0
                  • R
                    rafaelvilelacosta94 @stephenw10
                    last edited by Dec 15, 2022, 2:08 AM

                    @stephenw10
                    now it worked thanks to everyone the rule was like this, blocking only the origin of the virtual network to which the guy will connect in the case 40.40.20.0/24

                    the other openvpn server of the company's employees accesses everything normally via VPN.

                    Thanks!Capturar.PNG

                    1 Reply Last reply Reply Quote 0
                    9 out of 9
                    • First post
                      9/9
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                      This community forum collects and processes your personal information.
                      consent.not_received