Setup FW rules for multiple OpenVPN interfaces



  • Hi all,

    I'm setting up a pair of pfsense firewalls for a client of mine.  They want a restricted site-to-site (some hosts on site B should be off limits to site A, but even with that restriction this VPN would carry > 95% of the company's traffic), and they also want "road warrior" style VPN access unrestricted to site B.

    For this I figured I'll setup one OpenVPN server as a peer to peer listening, and assign it to OPT1.  For the road warrior side I set up "Remote Access ( SSL/TLS + User Auth)", and assigned it to OPT2. Both are OpenVPN servers on site B.  Assigning them to OPT1/2 is what allows me to setup individual FW rules for each VPN server instance ( right?).

    I've been testing both VPNs, and they work with one serious issue left to figure out.  When I configure rules for OPT1 and OPT2 they don't always work as they should AFAIK.  Here's the best example of what I saw wrong (because it doesn't involve site A other than it being connected to B via the site-site):

    OPT1 Rules:
    n-a for this example I think

    OPT2 Rules:

    • Block Bogon networks

    • Allow all IPv4 (all proto, all IP/ports of src & dst)

    OpenVPN:

    • Block Bogon networks

    Under this configuration I establish a VPN (Opt2), and I can't ping anything on the other side.  I look at the FW logs and it says its dropping those ICPM packets on OPT2.  So naturally I suspect I fat-fingered something in the OPT2 allow all rule, but I didn't.  Even if I do the easyrule thing it still doesn't pass.

    It then gets really interesting when I add an allow all rule under the "OpenVPN" tab, because then it starts passing the traffic.  I'm confused, but I don't think that should be the case.

    Can someone explain what might be wrong with this?  How does the whole OPT1 OPT2 thing work with the OpenVPN stuff.  The logs know the packet was for OPT2, but the rules sometimes do sometimes don't.  If I created two servers, and each one is assigned to an OPTx interface, then why do I still have an "OpenVPN" tab in the rules area.  I would think no packets could possibly be for it.

    I've tried restarting both sides.  I've tried reconfiguring from defaults.

    Any help would be greatly appreciated.
    -Miki



  • I noticed one thing that I'm not sure is correct or not.  I'm using topology subnet for the OPT2 OpenVPN server.  And the interface status looks like this (see attached image):

    I don't see why the gateway is 255.255.255.0




  • Your MAC address is all zeros too.



  • Thanks for your reply.  I decided to abandon this configuration and instead not user OPTx interfaces for the OpenVPN tunnel interfaces.  Also I realized I don't need NAT between my internal VPNs and LANs.  So even that is simpler the new way.

    I do think that I misconfigured the outbound NATs and somehow that affected the original issue, but I can't say for sure.

    Thanks,
    Miki