Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Setup FW rules for multiple OpenVPN interfaces

    Scheduled Pinned Locked Moved OpenVPN
    4 Posts 2 Posters 1.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mtisza
      last edited by

      Hi all,

      I'm setting up a pair of pfsense firewalls for a client of mine.  They want a restricted site-to-site (some hosts on site B should be off limits to site A, but even with that restriction this VPN would carry > 95% of the company's traffic), and they also want "road warrior" style VPN access unrestricted to site B.

      For this I figured I'll setup one OpenVPN server as a peer to peer listening, and assign it to OPT1.  For the road warrior side I set up "Remote Access ( SSL/TLS + User Auth)", and assigned it to OPT2. Both are OpenVPN servers on site B.  Assigning them to OPT1/2 is what allows me to setup individual FW rules for each VPN server instance ( right?).

      I've been testing both VPNs, and they work with one serious issue left to figure out.  When I configure rules for OPT1 and OPT2 they don't always work as they should AFAIK.  Here's the best example of what I saw wrong (because it doesn't involve site A other than it being connected to B via the site-site):

      OPT1 Rules:
      n-a for this example I think

      OPT2 Rules:

      • Block Bogon networks

      • Allow all IPv4 (all proto, all IP/ports of src & dst)

      OpenVPN:

      • Block Bogon networks

      Under this configuration I establish a VPN (Opt2), and I can't ping anything on the other side.  I look at the FW logs and it says its dropping those ICPM packets on OPT2.  So naturally I suspect I fat-fingered something in the OPT2 allow all rule, but I didn't.  Even if I do the easyrule thing it still doesn't pass.

      It then gets really interesting when I add an allow all rule under the "OpenVPN" tab, because then it starts passing the traffic.  I'm confused, but I don't think that should be the case.

      Can someone explain what might be wrong with this?  How does the whole OPT1 OPT2 thing work with the OpenVPN stuff.  The logs know the packet was for OPT2, but the rules sometimes do sometimes don't.  If I created two servers, and each one is assigned to an OPTx interface, then why do I still have an "OpenVPN" tab in the rules area.  I would think no packets could possibly be for it.

      I've tried restarting both sides.  I've tried reconfiguring from defaults.

      Any help would be greatly appreciated.
      -Miki

      1 Reply Last reply Reply Quote 0
      • M
        mtisza
        last edited by

        I noticed one thing that I'm not sure is correct or not.  I'm using topology subnet for the OPT2 OpenVPN server.  And the interface status looks like this (see attached image):

        I don't see why the gateway is 255.255.255.0

        Capture.PNG
        Capture.PNG_thumb

        1 Reply Last reply Reply Quote 0
        • M
          mikeisfly
          last edited by

          Your MAC address is all zeros too.

          1 Reply Last reply Reply Quote 0
          • M
            mtisza
            last edited by

            Thanks for your reply.  I decided to abandon this configuration and instead not user OPTx interfaces for the OpenVPN tunnel interfaces.  Also I realized I don't need NAT between my internal VPNs and LANs.  So even that is simpler the new way.

            I do think that I misconfigured the outbound NATs and somehow that affected the original issue, but I can't say for sure.

            Thanks,
            Miki

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.