Blocking certain subnets in my ipsec network



  • hello everyone,

    I have the following network setup
    192.168.0.0/24 <~at my colo
    192.168.1.0/24 <~ office 1
    192.168.2.0/24 <~ office 2
    192.168.10.0/24 <~ office 3
    192.168.11.0/24 <~ office 4

    I'm using pfSense on the router @ 192.168.0.0/24 as an IPSec concatenator, so each individual office connects back to 192.168.0.1 with the remote subnet as beign set 192.168.0.0/16

    colo, office 1 and office 2 need to be to be able to access every network. however office 3 and 4 need only to access the Colo, office 1 and office 2. So Office 3 shouldn't be able to access office 4 , and office 4 shouldn't be able to access office 3.

    On the router at office 3 i tried setting up the following lan rule.

    block drop in quick on dc1 inet from ! 192.168.0.0/24 to 192.168.10.0/24 label "USER_RULE: block other private nets"
    block drop in quick on dc1 inet from ! 192.168.1.0/24 to 192.168.10.0/24 label "USER_RULE: block other private nets"
    block drop in quick on dc1 inet from ! 192.168.2.0/24 to 192.168.10.0/24 label "USER_RULE: block other private nets"

    but it looks like i'm able to still access everything from office 4's network to office 3's network.
    Any suggestion?

    I also tried the following rule on the Colo pfSense bo
    (192.168.0.1)
    block drop in quick on rl0 inet from 192.168.11.0/24 to ! 192.168.0.0/24 label "USER_RULE: blk HPO 2 Others"

    Thanks in advance



  • Filtering on IPSEC or OpenVPN does not work in 1.0.

    Sorry!



  • are there any furture plans to change this?
    Should I just set the remote subnet for 192.168.11.0/24 to 192.168.0.0 to 24 instead of 16? So 192.168.11/24 can't access 192.168.10/24 ?
    Thanks for the quick response



  • It depends if you need the branch offices to talk to each other through the mainoffice. If you have control over each end's box you can drop traffic incoming at LAN before it hits the tunnels. This way you can do filtering.

    VPN-Tunnelfiltering is already working in HEAD. It will appear once pfSense hits 2.0 release I guess.



  • on the pfSense router at 192.168.10.1 I went to Firewall -> Rules -> Lan and set the following rule

    Block – Proto ()  -- Source (! RnDNetworks (This is an alias set to 192.168.0,1,2 Subnets 255.255.255.0 )) -- Port () -- Destinatino (LAN Subnet (192.168.10.0/24)) -- Port () -- Gateway ()

    when I ssh into 192.168.10.1 and run pfctl -s rules it shows.
    block drop in quick on dc1 inet from ! 192.168.0.0/24 to 192.168.10.0/24 label "USER_RULE: block other private nets"
    block drop in quick on dc1 inet from ! 192.168.1.0/24 to 192.168.10.0/24 label "USER_RULE: block other private nets"
    block drop in quick on dc1 inet from ! 192.168.2.0/24 to 192.168.10.0/24 label "USER_RULE: block other private nets"



  • Nope, you didn't get the point:

    192.168.1.0/24–---LAN/pf1/WAN-----(VPN)-----WAN/pfcolo/LAN----192.168.0.0/24

    You block traffic at LAN of pf1 leaving into the ipsectunnel like from pf1 LANsubnet to remote subnets before it goes into the tunnels.


Log in to reply