GATEWAY firewall rule conflict with Openvpn routes?



  • I have an Openvpn tunnel which injects several routes into the pfsense route table via "route network netmask;" statements in custom_options.

    I can consistent stop traffic from the LAN (pings) to networks over the VPN by adding a GATEWAY statement.

     <rule><id><type>pass</type>
    			<interface>lan</interface>
    			 <max><max-src-nodes><max-src-conn><max-src-states><statetimeout><statetype>keep state</statetype>
    
    			<source>
    				<network>lan</network>
    
    			 <destination><any></any></destination> 
    
    			<gateway>GATEWAY</gateway></statetimeout></max-src-states></max-src-conn></max-src-nodes></max></id></rule> 
    
    	 <gateways><gateway_group><name>GATEWAY</name>
    			WAN|1
    			WANORC|1
    			<trigger>down</trigger></gateway_group> 
    		 <gateway_item><interface>wan</interface>
    			<gateway>dynamic</gateway>
    			<name>WAN</name>
    			<weight>1</weight>
    
    			<monitor>58.28</monitor>
    			<latencylow>25</latencylow>
    			<latencyhigh>250</latencyhigh>
    			<losslow>1</losslow>
    			<losshigh>4</losshigh></gateway_item> 
    		 <gateway_item><interface>opt1</interface>
    			<gateway>dynamic</gateway>
    			<name>WANORC</name>
    			<weight>1</weight>
    
    			<monitor>60.234</monitor>
    			 <defaultgw><latencylow>25</latencylow>
    			<latencyhigh>250</latencyhigh>
    			<losslow>1</losslow>
    			<losshigh>4</losshigh></defaultgw></gateway_item></gateways> 
    

    Maybe this could be fixed by creating a custom route script for openvpn using the "up" openvpn command:

    For example I use this for source routing on linux.

    In vpn.conf:

    
    up /etc/openvpn/vpn-routes.sh
    
    

    with:

    
    #!/bin/bash
    # script vpn-routes.sh
    # cmd tun_dev tun_mtu link_mtu ifconfig_local_ip ifconfig_remote_ip [ init | restart ]
    
    /sbin/ip route add to 10.200.1.0/24  src 192.168.1.1 via $5
    


  • If you force traffic to a gateway, it forces it to the gateway, overriding the routing table. It's adding the routes, you're telling it to ignore them with that rule. That's how it should work.



  • @cmb:

    If you force traffic to a gateway, it forces it to the gateway, overriding the routing table. It's adding the routes, you're telling it to ignore them with that rule. That's how it should work.

    Sure.  However, seems to be a logic error here in the application.

    From what I've read you now need to put the GATEWAY flag in a firewall rule in order to use multi-wan.  But if so, having a multi-wan will conflict with having a vpn.

    _"After adding all the gateways you can then create a gateway group on the Gateway Group Tab. Set a priority for each wan connection that you want to have participate in each pool.

    Then assign this gateway group to a firewall rule (generally the LAN rule)." [1]_

    [1] http://forum.pfsense.org/index.php/topic,10407.0.html



  • You pick and choose what traffic goes where with the rules and gateway options. If you want traffic going to VPN tunnel to use the normal routing table instead of policy routing you have to make a separate rule for the traffic with gateway set to default and place it before other LAN rules.



  • @kpa:

    You pick and choose what traffic goes where with the rules and gateway options. If you want traffic going to VPN tunnel to use the normal routing table instead of policy routing you have to make a separate rule for the traffic with gateway set to default and place it before other LAN rules.

    So if I want traffic from the LAN to go to the openvpn network I need to add a single rule for each network to the firewall rules?

    This seems like something that could be better done by automation to prevent errors and potential security issues.



  • You can use a network alias that expands to one or more networks (Firewall->Aliases->Type : Networks(s)) in place of the destination address to make it more manageable.



  • @kpa:

    You can use a network alias that expands to one or more networks (Firewall->Aliases->Type : Networks(s)) in place of the destination address to make it more manageable.

    Excellent, didn't know that. Thanks.

    Still think it's not ideal. Doesn't cover situation where say the openvpn server pushes routes to the pfsense openvpn client.  Might be nice if you could set up custom anchors for the openvpn.

    I also think it would be nice if each openvpn tunnel got it's own interface on the firewall rules UI. Rather than a single one for all.  Still it's better than what was before and with the nice floating firewall rule UI can at least do some custom rules.



  • You need to learn about pfSense i think.

    You can assign openvpn interfaces and can filter them one by one.



  • @ermal:

    You need to learn about pfSense i think.

    You can assign openvpn interfaces and can filter them one by one.

    Wow. Thanks, I didn't know that was now possible in 2.0.

    The assignment of logical Interface to actual tun device is fixed. ie. OPT3 to ovpnc1 or OPT4 to ovpnc1. How does pfsense treat the ordering of the ovpn devices if you have more than one tunnel during a reboot?

    Second, there is a (default) tab of OpenVPN in the firewall rules. How does this differ from an assigned interface?


Locked