Firewall on a vpn



  • The firewall can block the connection of VPNs?

    is an idea to run DHCP on pfSense? have to put the router as a gateway?

    the router has to do DHCP, so the pfSense get an IP?

    need the machines to authenticate to the network 2 AD(windows2008) of say network1.

    I have the following network structure.




  • @dgiorgio:

    The firewall can block the connection of VPNs?

    Yes, firewall rules can apply to VPN interfaces just as any other.

    is an idea to run DHCP on pfSense? have to put the router as a gateway?

    Doesn't matter as long as you have either pfSense as the default gateway or a route to pfSense for the subnet behind the VPN…

    the router has to do DHCP, so the pfSense get an IP?

    Of course you can set a static IP.



  • as I do for the "PC 192.168.11.10", to authenticate the "AD server 192.168.1.3"

    or

    "PC 192.168.1.10" Make a ping in "PC 192.168.11.10"




  • When you setup the OpenVPN site-to-site link, you enter the local and remote networks. OpenVPN will make the necessary route entries automatically. You must add firewall rules on OpenVPN to actually allow traffic. It is also easy if you make an alias for your various subnets and use the alias/es in the firewall rules. Then you can ping.
    A suggestion - you are setting up a reasonable-sized network, one day someone will also want to VPN in to it from a road-warrior-style client. They will probably come from another home network/cafe etc that uses 192.168.1.0/24. I suggest that you change your networks away from 192.168.n.n - choose numbers in 10.n.n.0/24. Then you minimise the chance of this problem.

    You will also need to be able to resolve the AD DNS names from the remote site. For example, if your domain is my.corp.com then in DNS forwarder on each pfSense, add a domain override telling it that my.corp.com is 192.168.1.3



  • upgraded diagram.

    I have to put two DNS in router? or just one?

    have to install the NO-IP in AD?

    I have to do "DHCP" with pfSense or the router?




  • I have to put two DNS in router? or just one?

    The domain override is needed in the remote pfSense. Put it in the local pfSense also, so that devices that are not in the AD domain can resolve the AD domain names if they need to.

    have to install the NO-IP in AD?

    First, what is the "router" between pfSense and the 2 modems at each site? and why is it needed?
    Normally with 2 WANs you have 3 NICs on the pfSense - 2 WAN connections and 1 LAN. Then you can do failover and put the Dynamic DNS No-IP details into pfSense, so it will keep the public IP addresses up-to-date.


Log in to reply