Block Traffic from entering tunnel?



  • I might be missing a key bit of information or documentation but I am unable to block traffic from going down a tunnel.

    I have a site to site tunnel from a remote site to main office and would like to prevent traffic from the wifi network 10.0.0.1/24 from using the tunnel.

    I have tried applying a rule at the remote office to the openvpn firewall tab saying deny source 10.0.0.1/24 destination any. But this rule has no affect.

    I can however add this rule on the openvpn tab at the home office. Problem is that at this point the traffic is already using bandwidth.

    Is my only option to add these rules to the wifi interface tab?

    Thanks



  • Is my only option to add these rules to the wifi interface tab?

    Yes, pfSense rules are evaluated on the interface where they enter. WiFi interface is the correct place to put the rule - block source 10.0.0.0/24 destination "main office subnet", and to be more complete, also a rule blocking to "OpenVPN tunnel subnet" - then they can't even ping the tunnel endpoints.



  • This is what I get for not reading.

    https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting

    Interface Selection
    Be sure that your rules are on the proper interface. Imagine yourself sitting inside of your pfSense box. Sure, it's a little crowded in there, but this might help. Imagine packets flying at you from the different networks that your pfSense box ties together. You will place the rules on the interface they hit you from. If a packet is going from the LAN to the pfSense box, then out to the Internet, the rules still go on the LAN. If a packet is coming from the Internet, to the pfSense box, the rule goes on the WAN interface.

    thanks for your help


Log in to reply