Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Difference between Interface subnet and 192.168.2.0/24

    Scheduled Pinned Locked Moved
    Firewalling
    5
    44
    10.3k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • panzP
      panz
      last edited by

      @kejianshi:

      Its not the adding of physical interfaces that confuses me.

      The thing that confuses me is that I've always been able to firewall my pfsense road warriors just fine from the Openvpn firewall tab without the addition of an interface for their subnet.

      So, what I'm wondering is was that interface necessary at all?

      You have to assign an interface if you want to filter pfsense-as-client and pfsense-as-server VPN traffic separately. And for NATting too. search the forum for instructions on how to set pfsense as an Open VPN client to a VPN provider  :)

      pfSense 2.3.2-RELEASE-p1 (amd64)
      motherboard: MSI C847MS-E33 Micro ATX (with Intel Celeron CPU 847 @ 1.10 GHz) ~ PSU: Corsair VS350 ~ RAM: Kingston KVR1333D3E9S 4096 MB 240-pin DIMM DDR3 SDRAM 1.5 volt ~ NIC: Intel EXPI9301CTBLK (LAN) ~ NIC: D-Link DFE-528TX (CAM) ~ Hard Disk: Western Digital WD10JFCX Red ~ Case: Cooler Master HAF XB ~ power consumption: 21 Watts.

      1 Reply Last reply Reply Quote 0
      • GruensFroeschliG
        GruensFroeschli
        last edited by

        If you run pfSense as server and pfSense as client you don't necessarily need to assign the interfaces.

        The openVPN tab is basically a predefined interface group containing all openVPN interfaces even if they are not assigned.
        With a few openVPN instances the ruleset becomes one big mess pretty fast. Good luck debugging.
        Assigning the openVPN interface simply allows you to seperate the rules logically for different virtual interfaces.

        If you want to do NAT magic (outbound NAT) or run certain services on a VPN interface (igmp proxy) you need to assign them.
        Otherwise you don't have the option in the various places to select the interface in the dropdown.

        We do what we must, because we can.

        Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

        1 Reply Last reply Reply Quote 0
        • K
          kejianshi
          last edited by

          Yeah - I have probably just never had a use scenario that required me to create an interface separately from the openvpn default interface.

          1 Reply Last reply Reply Quote 0
          • panzP
            panz
            last edited by

            Moreover, when you assign interfaces to single ovpn tun, you have to disable all the rules in the OpenVPN firewall tab. In the docs is explained that, even if you set the rules for the assigned ovpn interfaces, the rules in the OpenVPN tab STILL APPLY.

            So, when you create a roadwarrior setup, the auto rule creation sets a rule to allow all in . This is totally unacettable if you have, like my setup, an OpenVPN = WAN (Internet).

            pfSense 2.3.2-RELEASE-p1 (amd64)
            motherboard: MSI C847MS-E33 Micro ATX (with Intel Celeron CPU 847 @ 1.10 GHz) ~ PSU: Corsair VS350 ~ RAM: Kingston KVR1333D3E9S 4096 MB 240-pin DIMM DDR3 SDRAM 1.5 volt ~ NIC: Intel EXPI9301CTBLK (LAN) ~ NIC: D-Link DFE-528TX (CAM) ~ Hard Disk: Western Digital WD10JFCX Red ~ Case: Cooler Master HAF XB ~ power consumption: 21 Watts.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post