OpenVpn auto-rules not wanted



  • Just setup OpenVpn server on v2.1RC2.  "pfctl -s nat" reveals that OpenVpn server creates an automatic rule from any to Wan IP for every port in my WAN rules?  Why is this necessary?  Does it think I created a tunnel for every user on the network, even via every gateway?

    All I need is access thru the Wan to the Lan subnet.  I don't need it to provide access to every service running on the Lan subnet.  Not that it should matter but Outbound Nat is set to manual rules.

    How do I prevent OpenVpn from creating all these unnecessary rules?



  • System: Advanced: Firewall and NAT

    Disable all Auto-added VPN rules.

    {Profit}



  • Disabled all auto-added vpn rules but rules are still present.  Reboot?  Manual removal of auto-created rules necessary?


  • Banned

    Which rule are you talking about?! This?

    
    pass  in  quick  on $OpenVPN  from any to any keep state  label "USER_RULE: OpenVPN [name] wizard"
    
    

    Interfaces - Rules - OpenVPN. If you do not want it, then disable/delete the rule.



  • All the OpenVpn rules…

    [2.1-RC2][admin@pfsense.router]/root(1): pfctl -s nat
    no nat proto carp all
    nat-anchor "natearly/" all
    nat-anchor "natrules/
    " all
    nat on igb0 inet all -> 71.93.28.166 port 1024:65535
    no nat on igb1 inet proto tcp from (igb1) to 192.168.2.0/24
    nat on igb1 inet proto tcp from 192.168.2.0/24 to <pfsense>port = ntp -> (igb1) round-robin
    no nat on igb1 inet proto tcp from (igb1) to 192.168.2.0/24
    no rdr proto carp all
    rdr-anchor "relayd/" all
    rdr-anchor "tftp-proxy/
    " all
    rdr on openvpn inet proto tcp from any to 192.168.2.0/24 port = ntp -> <pfsense>round-robin
    rdr on openvpn inet proto udp from any to 192.168.2.0/24 port = ntp -> <pfsense>round-robin
    rdr on openvpn inet proto tcp from any to 71.93.28.166 port = https -> <company1>round-robin
    rdr on openvpn inet proto tcp from any to 71.93.28.166 port = mdbs_daemon -> <company1>round-robin
    rdr on openvpn inet proto tcp from any to 71.93.28.166 port = blackjack -> <company1>round-robin
    rdr on openvpn inet proto tcp from any to 71.93.28.166 port = 2121 -> <company1>round-robin
    rdr on openvpn inet proto tcp from any to 71.93.28.166 port = 6100 -> <company1>round-robin
    rdr on openvpn inet proto tcp from any to 71.93.28.166 port = 8080 -> <company1>round-robin
    rdr on openvpn inet proto tcp from any to 71.93.28.166 port = 9000 -> <company1>round-robin
    rdr on openvpn inet proto udp from any to 71.93.28.166 port = https -> <company1>round-robin
    rdr on openvpn inet proto udp from any to 71.93.28.166 port = mdbs_daemon -> <company1>round-robin
    rdr on openvpn inet proto udp from any to 71.93.28.166 port = blackjack -> <company1>round-robin
    rdr on openvpn inet proto udp from any to 71.93.28.166 port = 2121 -> <company1>round-robin
    rdr on openvpn inet proto udp from any to 71.93.28.166 port = 6100 -> <company1>round-robin
    rdr on openvpn inet proto udp from any to 71.93.28.166 port = 8080 -> <company1>round-robin
    rdr on openvpn inet proto udp from any to 71.93.28.166 port = 9000 -> <company1>round-robin
    rdr on openvpn inet proto tcp from any to 71.93.28.166 port = 6036 -> <company2>round-robin
    rdr on openvpn inet proto tcp from any to 71.93.28.166 port = 8045 -> <company2>round-robin
    rdr on openvpn inet proto udp from any to 71.93.28.166 port = 6036 -> <company2>round-robin
    rdr on openvpn inet proto udp from any to 71.93.28.166 port = 8045 -> <company2>round-robin
    rdr on openvpn inet proto tcp from any to 71.93.28.166 port = ftp -> <company3>round-robin
    rdr on openvpn inet proto tcp from any to 71.93.28.166 port = 4000 -> <company4>round-robin
    rdr on openvpn inet proto tcp from any to 71.93.28.166 port 5631:5634 -> <company5>round-robin
    rdr on openvpn inet proto udp from any to 71.93.28.166 port 5631:5634 -> <company5>round-robin
    rdr-anchor "miniupnpd" all</company5></company5></company4></company3></company2></company2></company2></company2></company1></company1></company1></company1></company1></company1></company1></company1></company1></company1></company1></company1></company1></company1></pfsense></pfsense></pfsense>


  • Banned

    I cannot see any such rules here… Obviously not enough information provided. Sounds like NAT rules with source = any, absolutely nothing wrong with that.



  • Dok, I'm talking about the rules listed in my earlier post with company1, 2, etc.  All those company rules are Wan forward rules, yes with source any, generated by NAT.  My OpenVpn rule has been "IP4v * * * * * none".  Tried "IP4v * * Lan subnet * * none" but then I don't get out the WAN.  Tried "IP4v * * * * WANGW none" but doesn't eliminate OpenVpn duplicating all the Wan forward rules.

    What add'l info is needed?



  • I'm beginning to think the OpenVpn rules are auto-created as a "catch all" approach and are not user configurable, at least not through the WebConfigurator.


Log in to reply