Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Firewall rules for VPN not routing

    Firewalling
    2
    8
    435
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      NotAHacker
      last edited by

      Hello,

      I have a couple of computers on my network that I like to run through a VPN. I have had this working for a year or two under different scenarios. Today, I decided to stop using the separate ports on my Protectli (software switching) and put in a mini flex switch instead. I finally got all of my vLANs setup and things seemed to be back to normal...except my VPN rules. I have a rule under a vLAN that should pass traffic from the alias computers to the wireguard gateway and tag it with "vpntraffic". I also have a floating rule to block all traffic tagged as "vpntraffic".

      After getting everything setup, I remoted in to one of the computers to verify if it was using the VPN. When I checked online, the IP was from my home. I decided to changed the rule so that the default gateway was chosen and the traffic still got out to the internet. The floating rule should have blocked the traffic. I changed the rule again to block all traffic for that alias. I am still getting to the internet.

      I am running pfSense+ on 23.09. I have reset the states table and have rebooted a few times. I am not sure how I would troubleshoot this and not sure what information I need to provide. Thank you!!

      Screenshot 2023-11-26 at 19.36.14.png

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @NotAHacker
        last edited by

        @NotAHacker
        I'm wondering, what rule the screenshot is showing. It might wether be the tagging rule on the interface nor the floating block rule.

        Anyway, since it didn't get any hit, I assume, not any packet from an IP in teh VPNClients alias was arriving at this interface.
        So possibly the rule is on the wrong interface?

        N 1 Reply Last reply Reply Quote 1
        • N
          NotAHacker @viragomann
          last edited by

          @viragomann

          It is the rule on the vLAN interface called [MY]Office, which is on the 192.168.69.X subnet. One of the computers in VPNClients is 192.168.69.104. The first time I set up the vLAN, pfBlocker did not add a rule to the interface. When I deleted the interface and recreated it, the pfBlocker rule showed up.

          Screenshot 2023-11-28 at 18.30.35.png

          I am not sure how I can troubleshoot where the client is getting its internet from and how it is bypassing the rule.

          V 1 Reply Last reply Reply Quote 0
          • V
            viragomann @NotAHacker
            last edited by

            @NotAHacker
            So you say, that client is member of the alias, can only use IPv4 and the rule isn’t applied?
            The only other possibilities are other pass rules, which are probed before, e.g. floating or interface group rules. Are there any?

            N 1 Reply Last reply Reply Quote 1
            • N
              NotAHacker @viragomann
              last edited by

              @viragomann

              I do not have IPv6 enabled anywhere. Here is the Floating rule I have:

              Screenshot 2023-11-28 at 19.29.01.png

              The interface group which was autocreated, called "WireGuard", does not have any rules in it.

              All this was working just fine when I used the extra port on my Protectli box. But I read somewhere that software switch is not as efficient as a hardware switch and since I had a hardware switch laying around, I thought I would use that. Also, this helped me need one less vLAN since my wired and wireless vLANs could be grouped into one interface.

              Thanks!

              V 1 Reply Last reply Reply Quote 0
              • V
                viragomann @NotAHacker
                last edited by

                @NotAHacker
                As I said already, there isn't any packet hitting this pass rule with the VPNClients alias as source.

                So for troubleshooting I would sniff the traffic on this interface and see if the packets are coming in there. If not check the other interfaces.
                Or if you have just a handful pass rules, enable the logging in each, ensure each has a unique name and check the firewall log then to see, which rule is triggert.

                N 1 Reply Last reply Reply Quote 1
                • N
                  NotAHacker @viragomann
                  last edited by

                  @viragomann

                  Thank you for taking the time to walk me through this! I did some sniffing and it was all going through the correct interface. So I looked further into it and I found the issue. And what a simple, stupid mistake I made!!

                  Screenshot 2023-11-29 at 10.14.20.png

                  I had put "vpntraffic" into Tagged, not Tag. It is funny how these little things get away from me sometimes.

                  Also, your username sounded familiar, so I looked at my history and you helped me 2.5 years ago with a VPN issue. Thank you for continuing to help people out and for being patient!!

                  V 1 Reply Last reply Reply Quote 0
                  • V
                    viragomann @NotAHacker
                    last edited by

                    @NotAHacker
                    Such little mistakes may happen. But nice that you got it sorted.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.