Block one subnet from accessing another



  • Thank you in advance for any assistance!

    I have my pfsense router on 192.168.1.1

    I have a OpenVPN setup on 192.168.4.xxx (Established and Functional)

    However, I do NOT want the hosts on 192.168.4.xxx to be able to reach ANY hosts on 192.168.1.xxx except for the router to achieve DNS servers and such. (I still want them to have web access.)

    Suggestions? ???



  • Setup 2 rules on I would guess LAN that stated source 192.168.4.0/24 is blocked to 192.168.1.0/24 and an allow rule above it that allows that subnet to 192.168.1.1 on port 53 of TCP and UDP.



  • [SOLVED]
    @podilarius:

    Setup 2 rules on I would guess LAN that stated source 192.168.4.0/24 is blocked to 192.168.1.0/24 and an allow rule above it that allows that subnet to 192.168.1.1 on port 53 of TCP and UDP.

    Worked perfectly! Thanks for the help. See attached picture for my final rules.




  • Are you sure? You have 8 rules allowing any traffic before your deny rule.



  • @marcelloc:

    Are you sure? You have 8 rules allowing any traffic before your deny rule.

    Yes, I'm sure. I have another VPN server running on a 192.168.2 subnet linked to the 192.168.1 subnet.



  • James - I don't understand what's the purpose of having a VPN if you don't want to allow your users access to the internal network ?

    Also the screen shot that you have uploaded clearly suggests you have allowed all traffic. Remember that when you connect openVPN it will add a route for the LOCAL Network that you defined on the OpenVPN server and it will only pass traffic for that network through the tunnel. Rest of the traffic still goes through normal channel.



  • The purpose would be to access certain resources behind the firewall but not all. Like access to a mail server but not a development server. Might be a bad example, but you get the idea. Perhaps a better example would be to allow a consultant access to machine but only the one they need to work on at that time.



  • Thanks Podilarius but the author says:

    However, I do NOT want the hosts on 192.168.4.xxx to be able to reach ANY hosts on 192.168.1.xxx except for the router to achieve DNS servers and such. (I still want them to have web access.)

    So he doesn't want to grant access to a particular machine but i think he is trying to use the proxy feature which i don't believe would work like that ! but may be i am wrong.



  • Well I this case he wants VPN user to access the dns server for name resolution to the Internet. The dns server happens to be the firewall from what I can see.



  • I am extremely sorry for the confusion I have created. Let me explain a bit further:

    I have an OpenVPN for myself ONLY on 192.168.2.xxx forwarded to 192.168.1.xxx
        In this way, I can access all the hosts I wish. That is why you see the rules earlier. They are for a different VPN

    The VPN I asked about for this post is for the 192.168.4.xxx. The users with access to this VPN are close friends who I don't want access to the main network. Those clients get forwarded to 192.168.3.xxx (I set it up this way due to the tutorial maker doing it in a similar fashion) HOWEVER I still needed them to get access to DNS services. I have tested this out in multiple ways, and the clients on the 192.168.4.xxx do not have access to hosts on 192.168.1.xxx. Not even administrative portal for the router itself.


Log in to reply