Problem with site-to-site VPN and filtering OpenVPN Traffic to the LAN [SOLVED]
-
Hi,
my setup involves 3 Site to Site VPNs using PKI. These are fully functional.
I am running 1.2.3RC3 where you can assign the tunX interface to an interface say optX.
So it is possible to use firewall rules to direct Traffic.
I followed the Tutorial at http://doc.pfsense.org/index.php/VPN_Capability_OpenVPN#Filtering_OpenVPN_Traffic and http://doc.pfsense.org/index.php/OpenVPN_Traffic_Filtering_on_1.2.3.
The Problem is, I am not able to block Traffic to the LAN Network (on the main site) or any other Network, that is routed through the OpenVPN.
The remote sites should be able to talk to the WSUS and file server in the DMZ2 network on the main site, which is functioning properly.
The LAN network on the main site should be able to "talk" to each remote site LAN, but should be protected from connection attemps from there. So it should be like the standard pfsense LAN to WAN setting, but with LAN to VPN.
Is there any way to get the firewall rules working?
In Advanced Config "Disable all auto-added VPN rules" is on.
The tunnel interface tun1 is OPT6 and has a firewall rule set to allow only traffic from these 3 site LANs to the DMZ2 subnet.
But according to the packet capture from OPT6 interface, every traffic is going right through. Even pinging the main site LAN is possible.
The VPN server runs on the main site, site1-3 are clients. The main site LANnet is pushed to the clients, but any attempt to access another network other than the DMZ2net on the main site should be denied. Only when a client on the LANnet iniutiated the traffic,it should be allowed.
The Topology:
"some other Nets"
|
OPTX
|
wsus–DMZ2net--OPT4--main--LAN--LANnet--Hosts
|
WAN
|
Hosts--LAN--site2--WAN----Internet–--WAN--site3--LAN--Hosts
|
WAN
|
site1
|
LAN
|
HostsEdit:
Problem was solved by upgrading to 1.2.3RELEASE
I am very happy with the new release by now :)