Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Block Traffic from entering tunnel?

    Scheduled Pinned Locked Moved OpenVPN
    3 Posts 2 Posters 894 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      rbflurry
      last edited by

      I might be missing a key bit of information or documentation but I am unable to block traffic from going down a tunnel.

      I have a site to site tunnel from a remote site to main office and would like to prevent traffic from the wifi network 10.0.0.1/24 from using the tunnel.

      I have tried applying a rule at the remote office to the openvpn firewall tab saying deny source 10.0.0.1/24 destination any. But this rule has no affect.

      I can however add this rule on the openvpn tab at the home office. Problem is that at this point the traffic is already using bandwidth.

      Is my only option to add these rules to the wifi interface tab?

      Thanks

      1 Reply Last reply Reply Quote 0
      • P
        phil.davis
        last edited by

        Is my only option to add these rules to the wifi interface tab?

        Yes, pfSense rules are evaluated on the interface where they enter. WiFi interface is the correct place to put the rule - block source 10.0.0.0/24 destination "main office subnet", and to be more complete, also a rule blocking to "OpenVPN tunnel subnet" - then they can't even ping the tunnel endpoints.

        As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
        If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

        1 Reply Last reply Reply Quote 0
        • R
          rbflurry
          last edited by

          This is what I get for not reading.

          https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting

          Interface Selection
          Be sure that your rules are on the proper interface. Imagine yourself sitting inside of your pfSense box. Sure, it's a little crowded in there, but this might help. Imagine packets flying at you from the different networks that your pfSense box ties together. You will place the rules on the interface they hit you from. If a packet is going from the LAN to the pfSense box, then out to the Internet, the rules still go on the LAN. If a packet is coming from the Internet, to the pfSense box, the rule goes on the WAN interface.

          thanks for your help

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.