Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Blocking certain subnets in my ipsec network

    Scheduled Pinned Locked Moved Firewalling
    6 Posts 3 Posters 3.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • X
      xibalba
      last edited by

      hello everyone,

      I have the following network setup
      192.168.0.0/24 <~at my colo
      192.168.1.0/24 <~ office 1
      192.168.2.0/24 <~ office 2
      192.168.10.0/24 <~ office 3
      192.168.11.0/24 <~ office 4

      I'm using pfSense on the router @ 192.168.0.0/24 as an IPSec concatenator, so each individual office connects back to 192.168.0.1 with the remote subnet as beign set 192.168.0.0/16

      colo, office 1 and office 2 need to be to be able to access every network. however office 3 and 4 need only to access the Colo, office 1 and office 2. So Office 3 shouldn't be able to access office 4 , and office 4 shouldn't be able to access office 3.

      On the router at office 3 i tried setting up the following lan rule.

      block drop in quick on dc1 inet from ! 192.168.0.0/24 to 192.168.10.0/24 label "USER_RULE: block other private nets"
      block drop in quick on dc1 inet from ! 192.168.1.0/24 to 192.168.10.0/24 label "USER_RULE: block other private nets"
      block drop in quick on dc1 inet from ! 192.168.2.0/24 to 192.168.10.0/24 label "USER_RULE: block other private nets"

      but it looks like i'm able to still access everything from office 4's network to office 3's network.
      Any suggestion?

      I also tried the following rule on the Colo pfSense bo
      (192.168.0.1)
      block drop in quick on rl0 inet from 192.168.11.0/24 to ! 192.168.0.0/24 label "USER_RULE: blk HPO 2 Others"

      Thanks in advance

      1 Reply Last reply Reply Quote 0
      • S
        sullrich
        last edited by

        Filtering on IPSEC or OpenVPN does not work in 1.0.

        Sorry!

        1 Reply Last reply Reply Quote 0
        • X
          xibalba
          last edited by

          are there any furture plans to change this?
          Should I just set the remote subnet for 192.168.11.0/24 to 192.168.0.0 to 24 instead of 16? So 192.168.11/24 can't access 192.168.10/24 ?
          Thanks for the quick response

          1 Reply Last reply Reply Quote 0
          • H
            hoba
            last edited by

            It depends if you need the branch offices to talk to each other through the mainoffice. If you have control over each end's box you can drop traffic incoming at LAN before it hits the tunnels. This way you can do filtering.

            VPN-Tunnelfiltering is already working in HEAD. It will appear once pfSense hits 2.0 release I guess.

            1 Reply Last reply Reply Quote 0
            • X
              xibalba
              last edited by

              on the pfSense router at 192.168.10.1 I went to Firewall -> Rules -> Lan and set the following rule

              Block – Proto ()  -- Source (! RnDNetworks (This is an alias set to 192.168.0,1,2 Subnets 255.255.255.0 )) -- Port () -- Destinatino (LAN Subnet (192.168.10.0/24)) -- Port () -- Gateway ()

              when I ssh into 192.168.10.1 and run pfctl -s rules it shows.
              block drop in quick on dc1 inet from ! 192.168.0.0/24 to 192.168.10.0/24 label "USER_RULE: block other private nets"
              block drop in quick on dc1 inet from ! 192.168.1.0/24 to 192.168.10.0/24 label "USER_RULE: block other private nets"
              block drop in quick on dc1 inet from ! 192.168.2.0/24 to 192.168.10.0/24 label "USER_RULE: block other private nets"

              1 Reply Last reply Reply Quote 0
              • H
                hoba
                last edited by

                Nope, you didn't get the point:

                192.168.1.0/24–---LAN/pf1/WAN-----(VPN)-----WAN/pfcolo/LAN----192.168.0.0/24

                You block traffic at LAN of pf1 leaving into the ipsectunnel like from pf1 LANsubnet to remote subnets before it goes into the tunnels.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.