Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Need some guidance on IPsec firewall rules

    Scheduled Pinned Locked Moved IPsec
    2 Posts 2 Posters 3.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      saxmad
      last edited by

      Hi,

      After several days of trail and error, I have now got an IPsec tunnel up, connecting to a Cisco firewall at a supplier.  There are some issues if the Cisco end brings up the tunnel, but if I initiate the link, it seems rock solid.

      My query is on the adding of the necessary firewall rules to lock down the traffic allowed onto my network from the VPN tunnel.

      Currently, I have a couple of rules on my WAN interface that let through UDP/500 and UDP/4500 packets so that the remote end can initiate the link if necessary.

      
IPv4 UDP 	* 	* 	WAN address 	4500 (IPsec NAT-T) 	* 	none               IPsec VPN  
IPv4 UDP 	* 	* 	WAN address 	500 (ISAKMP) 	        * 	none               IPsec VPN

      I also have a completely open rule on the IPsec tab to allow all traffic over the IPsec link.

      
IPv4 * 	* 	* 	* 	* 	* 	none 	  	Supplier IPsec vpn 

      What I would really like to do is lock down the traffic that can get onto my local network from the supplier network over the IPsec link.  I can't work out whether the rule should go on the LAN tab (I think this is favourite based on my readings of previous posts), or on the WAN tab, or whether I should amend the rule on the IPsec tab to be more closely controlled.

      My network: 192.168.111.0/24
      Supplier network:  172.16.5.0/24

      I only want the supplier network to be able to talk with a single host on my local network, 192.168.111.4.

      I'm thinking I need something like the following rule, but I don't know exactly where to put it, assuming it is correct in what I am trying to achieve.

      
(Rule is set up as BLOCK)
x   IPv4 * 	172.16.5.0/24 	* 	! 192.168.111.4 	* 	* 	none 	  	Only allow remote network to access single local host

      I read this rule as follows :-

      Block any packet from the supplier network (by definition over the IPsec VPN) that isn't destined for the desired single host on my network.

      Is this rule correct ?

      Which firewall rules tab should I put it on ?  LAN ? WAN ? IPsec ?

      Thanks.

      1 Reply Last reply Reply Quote 0
      • J
        jason0
        last edited by

        Hello,

        The first thing to remember is that the firewall is a default "block all", therefore you only need to allow access from their hosts to your one.

        (Rule is set up as BLOCK)
        x  IPv4 * 172.16.5.0/24 * ! 192.168.111.4 * * none   Only allow remote network to access single local host
        …
        Block any packet from the supplier network (by definition over the IPsec VPN) that isn't destined for the desired single host on my network

        Second is to remember that rules apply on INBOUND connections, thus you want a rule like this on your IPSEC interface.

        Thus, the psuedo-code would read:

        "allow all traffic from 172.16.5.0/24 to 192.168.111.4"

        –jason

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.