Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Packet Flow OpenVPN

    Scheduled Pinned Locked Moved Firewalling
    7 Posts 2 Posters 2.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      AuZZZie
      last edited by

      I'm a bit confused on pfSense packet flow.

      Let's say I wanted to block/allow a packet from a workstation over an IPSEC tunnel. I could block it on the LAN interface as it enters or I could block it on the IPSEC interface as it enters (routed from LAN int). Is this correct? All packet filtering is ingress on the interface?

      Obviously you want to block/allow as close to the source as possible but I just want to make sure I'm understanding it correct.

      When pfSense is acting as an OpenVPN client however and an interface assigned you not have both a OpenVPN and OPT1/VPN interface that shows under Firewall Rules. Which do you use?

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        The IPsec tab block traffic as it enters from the remote side. You can't block traffic from your LAN on the IPsec interface, only on the LAN interface.

        If you have your OpenVPN interface assigned, the interface rules on that tab take effect. Only the unassigned OpenVPN interfaces are governed by the rules on the OpenVPN tab.

        These days most people don't need to have their OpenVPN interfaces assigned, however.

        Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • A
          AuZZZie
          last edited by

          Thanks for the reply. That makes sense. I'm a little foggy though, if you don't assign your OpenVPN interface can you still assign another Gateway to use for PBR?

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            If you want to do PBR then they you do need to assign it so it gets a gateway. That kind of use still isn't all that common though, most VPNs are just routing normal subnets, not internet-bound traffic.

            Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • A
              AuZZZie
              last edited by

              Makes sense. Unfortunately, I'm 98% sure something is broken in pfSense 2.0 Final in regards to this setup (OpenVPN client assigned to interface). I've been playing with it for days and something just isn't right.

              1 Reply Last reply Reply Quote 0
              • jimpJ
                jimp Rebel Alliance Developer Netgate
                last edited by

                I've been running with two interfaces assigned on 2.0 (As are many pfSense customers) since the BETA days without issues.

                Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                • A
                  AuZZZie
                  last edited by

                  Take a look at the StrongVPN/OpenVPN guide last page. Seems a few people are having issues as of 2.0 Final.

                  Everything is correct. But for whatever reason the Gateway for the OpenVPN interface shows online, then goes offline after 5 seconds or so.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.