Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Problem with site-to-site VPN and filtering OpenVPN Traffic to the LAN [SOLVED]

    Scheduled Pinned Locked Moved OpenVPN
    1 Posts 1 Posters 1.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      Gerinsel
      last edited by

      Hi,

      my setup involves 3 Site to Site VPNs using PKI. These are fully functional.
      I am running 1.2.3RC3 where you can assign the tunX interface to an interface say optX.
      So it is possible to use firewall rules to direct Traffic.
      I followed the Tutorial at http://doc.pfsense.org/index.php/VPN_Capability_OpenVPN#Filtering_OpenVPN_Traffic and http://doc.pfsense.org/index.php/OpenVPN_Traffic_Filtering_on_1.2.3.
      The Problem is, I am not able to block Traffic to the LAN Network (on the main site) or any other Network, that is routed through the OpenVPN.
      The remote sites should be able to talk to the WSUS and file server in the DMZ2 network on the main site, which is functioning properly.
      The LAN network on the main site should be able to "talk" to each remote site LAN, but should be protected from connection attemps from there. So it should be like the standard pfsense LAN to WAN setting, but with LAN to VPN.
      Is there any way to get the firewall rules working?
      In Advanced Config  "Disable all auto-added VPN rules" is on.
      The tunnel interface tun1 is OPT6 and has a firewall rule set to allow only traffic from these 3 site LANs to the DMZ2 subnet.
      But according to the packet capture from OPT6 interface, every traffic is going right through. Even pinging the main site LAN is possible.
      The VPN server runs on the main site, site1-3 are clients. The main site LANnet is pushed to the clients, but any attempt to access another network other than the DMZ2net on the main site should be denied. Only when a client on the LANnet iniutiated the traffic,it should be allowed.
      The Topology:
                                               "some other Nets"
                                                          |
                                                       OPTX
                                                          |
                      wsus–DMZ2net--OPT4--main--LAN--LANnet--Hosts
                                                          |
                                                       WAN
                                                          |
             Hosts--LAN--site2--WAN----Internet–--WAN--site3--LAN--Hosts
                                                          |    
                                                       WAN
                                                          |
                                                        site1
                                                          |
                                                        LAN
                                                          |
                                                       Hosts

      Edit:
      Problem was solved by upgrading to 1.2.3RELEASE
      I am very happy with the new release by now :)

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.