Allow Access to Single IP from VPN
-
How do I set up OpenVPN on pfSense 2.0 RC3 to allow the VPN network to have access to a single IP on our internal network. For example, our OpenVPN clients are all on 192.168.3.0/24 and we don't care if they talk to each other. They need to be blocked from our internal network as a whole but have access to a single IP, 192.168.1.8. How do I set that?
-
Go to Firewall -> Rules
There is an OpenVPN tab and there you only add one rule:Action: pass
Protocol: any
Source: 192.168.3.0/24
port: any
destination: 192.168.1.8/24
port: anythats all.
-
Go to Firewall -> Rules
There is an OpenVPN tab and there you only add one rule:Action: pass
Protocol: any
Source: 192.168.3.0/24
port: any
destination: 192.168.1.8/24
port: anythats all.
Do I leave the network it is allowed to access in the OpenVPN server configuration blank? I made this rule but I was able to access anything on the network.
-
Go to Firewall -> Rules
There is an OpenVPN tab and there you only add one rule:Action: pass
Protocol: any
Source: 192.168.3.0/24
port: any
destination: 192.168.1.8/24
port: anythats all.
Do I leave the network it is allowed to access in the OpenVPN server configuration blank? I made this rule but I was able to access anything on the network.
Oh, I am stupid.
the destination IP should be 192.168.1.8/32 of course NOT subnet mask /24
This rule must be on top of all other OpenVPN Firewall rules. Perhaps you can post a screenshot of your OpenVPN firewall rules.In the OpenmVPN server you have to enter the destination network 192.168.1.0/24.
This let the client know that it should use the OpenVPN tunnel to reach the network 192.168.1.0/24. It creates a routing entry on the client site. this in neccessary.
restrictions will be made with the firewall rules. -
We have quite a few rules but they all apply to port forwards and such. The ones that we use for the VPNs are these, in this order in the list:
Type: Allow
Protocol: Any
Source: 192.168.3.0/24
Destination: 192.168.1.8Type: Block
Protocol: Any
Source: 192.168.3.0/24
Destination: 192.168.1.0/24Type: Allow
Protocol: TCP
Source: Any:1195 (Port for VPN service)
Destination: WAN AddressI am still able to access 192.168.1.9 for example.
edit: Oops, just realized I haven't been putting these rules in the OpenVPN tab. Durrrrrrr… I'll do some more testing.
-
The order of the rules should be correct - if in the OpenVPN tab.
Please post back after testing. -
It is working fine now. I had put the rules in the Firewall tab and completely forgotten about the OpenVPN one. Thanks for the help!