Allow Access to Single IP from VPN



  • How do I set up OpenVPN on pfSense 2.0 RC3 to allow the VPN network to have access to a single IP on our internal network. For example, our OpenVPN clients are all on 192.168.3.0/24 and we don't care if they talk to each other. They need to be blocked from our internal network as a whole but have access to a single IP, 192.168.1.8. How do I set that?



  • Go to Firewall -> Rules
    There is an OpenVPN tab and there you only add one rule:

    Action: pass
    Protocol: any
    Source: 192.168.3.0/24
    port: any
    destination: 192.168.1.8/24
    port: any

    thats all.



  • @Nachtfalke:

    Go to Firewall -> Rules
    There is an OpenVPN tab and there you only add one rule:

    Action: pass
    Protocol: any
    Source: 192.168.3.0/24
    port: any
    destination: 192.168.1.8/24
    port: any

    thats all.

    Do I leave the network it is allowed to access in the OpenVPN server configuration blank? I made this rule but I was able to access anything on the network.



  • @ieatfish:

    @Nachtfalke:

    Go to Firewall -> Rules
    There is an OpenVPN tab and there you only add one rule:

    Action: pass
    Protocol: any
    Source: 192.168.3.0/24
    port: any
    destination: 192.168.1.8/24
    port: any

    thats all.

    Do I leave the network it is allowed to access in the OpenVPN server configuration blank? I made this rule but I was able to access anything on the network.

    Oh, I am stupid.
    the destination IP should be 192.168.1.8/32 of course NOT subnet mask /24
    This rule must be on top of all other OpenVPN Firewall rules. Perhaps you can post a screenshot of your OpenVPN firewall rules.

    In the OpenmVPN server you have to enter the destination network 192.168.1.0/24.
    This let the client know that it should use the OpenVPN tunnel to reach the network 192.168.1.0/24. It creates a routing entry on the client site. this in neccessary.
    restrictions will be made with the firewall rules.



  • We have quite a few rules but they all apply to port forwards and such. The ones that we use for the VPNs are these, in this order in the list:

    Type: Allow
    Protocol: Any
    Source: 192.168.3.0/24
    Destination: 192.168.1.8

    Type: Block
    Protocol: Any
    Source: 192.168.3.0/24
    Destination: 192.168.1.0/24

    Type: Allow
    Protocol: TCP
    Source: Any:1195 (Port for VPN service)
    Destination: WAN Address

    I am still able to access 192.168.1.9 for example.

    edit: Oops, just realized I haven't been putting these rules in the OpenVPN tab. Durrrrrrr… I'll do some more testing.



  • The order of the rules should be correct - if in the OpenVPN tab.
    Please post back after testing.



  • It is working fine now. I had put the rules in the Firewall tab and completely forgotten about the OpenVPN one. Thanks for the help!


Log in to reply