Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Able to nmap scan machines on separate interfaces

    Scheduled Pinned Locked Moved Firewalling
    5 Posts 3 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      newbieuser1234
      last edited by

      I am fairly new at using pfsense.  I have wan, lan, opt1, and opt2 interfaces configured.  I thought I had them all separated via the firewall rules because I couldn't ping or connect to file shares between the two.  But I used zenmap to do a no-ping scan and I can scan open ports on my lan from my opt2 interface via an openvn connection?  Any help is appreciated in getting my interfaces properly separated.  Here are some screen shots of my rules.  I need the openvpn connection to map only to my opt2 interface for file sharing, which works correctly. I am not sure it's isolated though. 
      1.PNG
      1.PNG_thumb
      2.PNG
      2.PNG_thumb
      3.PNG
      3.PNG_thumb
      4.PNG
      4.PNG_thumb
      5.PNG
      5.PNG_thumb

      1 Reply Last reply Reply Quote 0
      • P
        podilarius
        last edited by

        First off, VPNs are supposed to be a secure connection. So if you VPN from OPT2 net to LAN it makes sense that you can bypass certain security. I think that if you want to have VPNers only access OPT2 network, then the only openvpn rule should be something like:

        Source: any
        SPort: any
        Destination: OPT2 Net
        DPort: any

        This way if the traffic is trying to go to anything but OPT2, it gets dropped (which is what happens if a rule is not matched for any interface TAB [including VPN] except for floating)

        Hope that helps.

        1 Reply Last reply Reply Quote 0
        • N
          newbieuser1234
          last edited by

          Basically I need people who VPN in to be able to access a file share on opt2 and to surf via full tunneling through openvpn.  So the VPN is a secure surfing mechanism against locally sniffing attacks when traveling and access to the file share.  I don't know why I am so perplexed by the firewall rules.

          1 Reply Last reply Reply Quote 0
          • C
            cmb
            last edited by

            Your block rule on OpenVPN will never match anything because OPT2-sourced traffic will never be seen incoming on OpenVPN.
            http://doc.pfsense.org/index.php/Firewall_Rule_Basics

            1 Reply Last reply Reply Quote 0
            • N
              newbieuser1234
              last edited by

              point taken. thanks. my openvpn server is routed to my opt2 interface on .20.  I think it's working correctly now.  Is it standard procedure to allow all at the bottom and place the outbound blocks at the top?  Essentially are you placing rules most of the time to block outbound since by default all inbound is already blocked?  the .21 is my openvpn network. Thanks for the help.

              1.PNG
              1.PNG_thumb
              2.PNG
              2.PNG_thumb
              3.PNG
              3.PNG_thumb
              4.PNG
              4.PNG_thumb

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.