Remote Access VPN from Guest Network
-
Hello everyone,
there is a small office pfSense scenario with only LAN and Guest Network, like below.
for security reasons, i have a deny rule to this firewall, on the Guest Network. So in case of someone wants to access the LAN, they should use the remote access VPN, just like if they were outside. But the deny access to firewall rule, causing the Open VPN remote access to not connecting from the guest network.
Does this has to do with NAT reflection ? because the deny rule is activated, the traffic going to firewall is from Guest, while in reality i need the clients to go to the Internet and hit the WAN port to connect to Open VPN Server like normally.
What are the settings i should check for this traffic to be achieved ?
-
@Bambos
I assume, the clients on the guest subnet use the VPN as well, when they are out of office. Otherwise I'd rather solve this with a captive portal than a VPN."This firewall" means any IP of pfSense. So yes, your rule also blocks access to the WAN address.
@Bambos said in Remote Access VPN from Guest Network:
while in reality i need the clients to go to the Internet and hit the WAN port to connect to Open VPN Server like normally.
You don't want them to go to the internet in fact, you want them to go to pfSense using the WAN address.
And this is, what's really going on indeed. Since the clients call the WAN IP, traffic will never go out to the internet, neither it passes the WAN (NAT) rules. -
yes, the same VPN for remote access is used.
So this has nothing to do with NAT reflection ?? (i guess).
If this is the case, i will remove the firewall rule of deny this firewall, and add block rules for the pfsense web interface port.
in that guest network we need only ping,DNS,internet.
-
@Bambos
Simply put the pass rule for allowing the needed services above of the block rule.