Able to nmap scan machines on separate interfaces

  • I am fairly new at using pfsense.  I have wan, lan, opt1, and opt2 interfaces configured.  I thought I had them all separated via the firewall rules because I couldn't ping or connect to file shares between the two.  But I used zenmap to do a no-ping scan and I can scan open ports on my lan from my opt2 interface via an openvn connection?  Any help is appreciated in getting my interfaces properly separated.  Here are some screen shots of my rules.  I need the openvpn connection to map only to my opt2 interface for file sharing, which works correctly. I am not sure it's isolated though. 

  • First off, VPNs are supposed to be a secure connection. So if you VPN from OPT2 net to LAN it makes sense that you can bypass certain security. I think that if you want to have VPNers only access OPT2 network, then the only openvpn rule should be something like:

    Source: any
    SPort: any
    Destination: OPT2 Net
    DPort: any

    This way if the traffic is trying to go to anything but OPT2, it gets dropped (which is what happens if a rule is not matched for any interface TAB [including VPN] except for floating)

    Hope that helps.

  • Basically I need people who VPN in to be able to access a file share on opt2 and to surf via full tunneling through openvpn.  So the VPN is a secure surfing mechanism against locally sniffing attacks when traveling and access to the file share.  I don't know why I am so perplexed by the firewall rules.

  • Your block rule on OpenVPN will never match anything because OPT2-sourced traffic will never be seen incoming on OpenVPN.

  • point taken. thanks. my openvpn server is routed to my opt2 interface on .20.  I think it's working correctly now.  Is it standard procedure to allow all at the bottom and place the outbound blocks at the top?  Essentially are you placing rules most of the time to block outbound since by default all inbound is already blocked?  the .21 is my openvpn network. Thanks for the help.

Log in to reply