How to configure FW Rules for TUN0?



  • Hi everyone,

    I would like to know if there's any special configuration nessesary for the TUN0 device regarding Firewall Rules.
    I have created several rules for traffic between our Local LAN (Network 8.x) and the Lan behind the VPN (Network 42.x) aswell as
    I've created rules between 8.x and 120.x (The VPN Lan) and 120.x and 42.x just to make sure everything between these is passed through.

    The Problem is that i haven't found a way to configure these especially for IF TUN0, so i pasted them into the LAN config.
    I think that's why he blocks all my traffic like the following:

    Dec 23 13:02:53 TUN0 192.168.8.13:8455 192.168.42.9:143 TCP

    Is it right that i have to find a way to configure TUN0 Rules? If so, how can i do that? Or where would i have to put it? Wan maybe?

    Thanks for the help in advance.

    Best regards,
    Stefan

    Edit: FYI, i use openvpn between those 2 pfsense firewalls.
    Pfsense Version is 1.2.2 on both mashines.



  • You need to update to 1.2.3.
    The ability to filter OpenVPN has just recently been added.

    @http://blog.pfsense.org/?p=531:

    Disable auto-added VPN rules option - added to System -> Advanced to prevent the addition of auto-added VPN rules for PPTP, IPsec, and OpenVPN tun/tap interfaces. Allows filtering of OpenVPN client-initiated traffic when tun/tap interfaces are assigned as an OPT.



  • Hi Froeschli,

    I don't actually want to add Filter Rules, I'd be completely fine if it passed any of the traffic without blocking it (Like it does at the moment)
    I'm not sure how (if there's no option in 1.2.2) i can tell the Firewall to stop blocking my traffic.

    However, there's a (sort of) weird scenario that I have when SSHing to one of the Remote-VPN Servers.
    I can stay on them like 5-10 Seconds and then the connection closes, so the Firewall doesn't seem to block directly,
    but within a certain time window. Could it be that the connection aborts because on their way back they answer through the
    2nd vpn gateway?

    Like this:
    My PC -> VPN Gate 1 (Firewall) -> (Internet) -> Remote VPN Gate 1 (Firewall) -> Server I want to talk to -> Remote VPN Gate 2 (VPN Server) ->
    -> VPN Gate 2 (VPN Server) -> My Pc

    Could that be a problem? Maybe because of identification issues? Like.. Sending a request to one vpn Server (FW)
    and getting an answer back from the other vpn server?

    Thanks for the Help

    Kind regards,
    Stefan


Log in to reply