firewall ruleset for different tenants to grant access to their subnets/services
-
Hi folks,
I run pfSense as a border router/firewall/ OVPN gateway for multiple tenants, lets call them group A and B.
I run two OVPN servers on this firewall, the users of group A and B connect to their OVPN service respectively, lets say one service on WAN-IP:1194 and the second on WAN-IP:1195
I used the apporach of assigned OVPN Interfaces as mentioned in the docs, so I can filter traffic for group A and B individually on their respective firewall tab.
I need guidance on how to set up the rule sets on the firewall to grant group A only access to their subnet of services (e.g. 192.168.1.0/24) and isolate OVPN traffic to enter the subnet of group B (e.g. 192.168.2.0/24)What I've learned so far from the docs:
Processing order of FW rules is:- "OpenVPN Tab" - delete rules like "allow any to any" as this would match any OVPN traffic of any OVPN service and then not process subordinate rules on the individual FW rules tab.
In the docs it states "Rules on assigned interface tabs are processed after rules on the OpenVPN tab. To match the rules on an assigned VPN tab, the traffic must not match any rules on the OpenVPN tab. Remove any “Allow All” or “Block all” style rules from the OpenVPN tab and craft more specific rules instead."
So what would these rules on the general OVPN tab look like, how do I go from here? How can differentiate traffic from OVPN service 1 from 2?
Any help is greatly appreciated, thanks in advance!
- "OpenVPN Tab" - delete rules like "allow any to any" as this would match any OVPN traffic of any OVPN service and then not process subordinate rules on the individual FW rules tab.
-
When you defined the OVPN, you specified an IP range to assign the incoming connection. By default, traffic OUT of those ranges is allowed and the traffic IN to the subnets/VLAN is BLOCKED. Simply go to each of the subnets and ALLOW traffic from the OVPN ranges appropriately.