Help with LAN side firewalling



  • Hello,

    I have an openvpn linux server BEHIND pfsense. I can connect fine to this vpn (which gives IPs like 10.10.14.x), and ping hosts on the office subnet (10.10.13.x). I had to make a route back from the pfsense router to the openvpn box for this to work, but its fine now.

    However… for some reason I cant connect to services. I have a wide open allow rule for the LAN interface which I would think would cover this case but for some reason it does not.

    I am allowing 10.10.0.0/24 on the LAN interface from anywhere, to anywhere, any protocol, any port, etc.

    However, when I check the firewall, I am getting denied on packets going BACK from the machine I am trying to connect to via openvpn.

    So I telnet from 10.10.14.14 -> 10.10.13.220 and this is what I see in the firewall logs.. looks like the problem is getting BACK to my 10.10.14.x IP.. but I dont get why??

    Jun 25 09:25:28 LAN10.10.13.220:22 10.10.14.14:49719 TCP:S

    and this is being caught by

    @266 block drop in log quick all label "Default deny rule"

    HALP!



  • Maybe you already thought of this, but all firewall rules are applied in order from top to bottom. So if there is a default deny rule on top, you can add as many allow rules as you want, traffic will never pass.
    There is a general setting per interface (2nd checkbox from the bottom) that will block all private network traffic. Do you have this unchecked for your LAN interface?



  • Thank you for your reply.

    Well, the allow rule is actually the only rule I have for the LAN side, so I don't think order is the issue.

    Also, I only see that checkbox on the WAN interface. I unchecked it just to see, but unfortunately that did not help.

    Any other ideas?



  • I forgot to ask, but which version of pfSense are you on? The checkbox for blocking private networks is there for each interface in 2.0RC3, but I'm not sure about 1.2.3.
    Is there a 'default deny rule' on any of the interfaces?



  • @Peter:

    I forgot to ask, but which version of pfSense are you on? The checkbox for blocking private networks is there for each interface in 2.0RC3, but I'm not sure about 1.2.3.
    Is there a 'default deny rule' on any of the interfaces?

    in pfsense 2.0 there isn't any visible "default deny all" rule.

    @bitherder
    could you please post you topology with subnets/IPs ?
    For me it is not easy to understand from where to where you can establish a connection and from where not.



  • Thanks again. This is 2.0

    Please see linked sketch… hopefully its legible

    http://i.imgur.com/JBjte.jpg

    From my home net, I can connect to OVPN and get assigned an IP in the 10.10.14.x range. I can get out to the internet routed thru this IP. I can ping hosts on the 10.10.13.x network. I can connect fine to host on the 10.10.14.x network. I CANT connect to resources on the 10.10.14.x net, and its saying the TCP SYN packet is getting dropped by the default deny rule.

    Hopefully that is more clear. Please let me know if there is anything else I can provide.



  • Hi,

    did you allow that OpenVPN clients are allows to communicate with each other ? In pfsense OpenVPN there is a checkbox but I think you have to configure this on your other ovpn server.

    Do you want to connect to windows folders ? Did you try only with hostnames/DNS names or did you try to connect with IP addresses ? Perhaps you have to check the clients firewall to allow this kind of traffic.
    Did you remember, that every OpenVPN connection is working in a /30 subent. first address is networkaddress, second server address, third clientaddress, fourth is broadcast address. Just make sure that you tried to connect to the correct address.

    Further I read something about a default MTU size for OpenVPN which is to high in some cases. Ping works but connecting to SMB shares didn't worke for some people.

    Hmmm, I read you thread again and now not sure again - where is you difference between hosts on 10.10.14.0/24 and ressources on 10.10.14.0/24 ?



  • I am trying to connect via ssh from a openvpn client on the openvpn network, for example 10.10.14.14 -> 10.10.13.204.

    When I do this I see it the response back from 10.10.13.204 rejected by the pfsense router with the messages

    LAN10.10.13.220:22 10.10.14.14:49719 TCP:S

    @266 block drop in log quick all label "Default deny rule"

    I dont know how I can allow this traffic. The allow rule I have is wide open for 10.10.0.0/16, as in the attached screenshot.

    ![screeny 2011-06-25 at 9.23.17 AM.png](/public/imported_attachments/1/screeny 2011-06-25 at 9.23.17 AM.png)
    ![screeny 2011-06-25 at 9.23.17 AM.png_thumb](/public/imported_attachments/1/screeny 2011-06-25 at 9.23.17 AM.png_thumb)



  • Just a bit more information to answer your questions above… this was all working fine with a prior setup. The only thing that has been changed in this setup is the router. Since there is a firewall rule being triggered and logged, I assume the problem is some pfsense setting.

    All other connections on the network seem to work ok. The only issue i am having is services between 10.10.14.x and 10.10.13.x



  • Hmpf…sorry for now I can not help you anymore.
    I do not see any mistake in there. Perhaps you could change the firewall handling in pfsense from "normal" to another more conservative state. This must be under SYSTEM - ADVANCED



  • Don't change state keeping, that's not the issue. Sounds like asymmetric routing, where is the OpenVPN server? If it's reachable via a static route you need "Bypass firewall rules for traffic on the same interface" under System>Advanced.



  • THANK YOU! That worked a trick.


Locked