WAN firewall rules allowing UDP 500 & ESP
-
I read on the pfsense site that you may have to allow firewall rules on WAN from your remote IPsec vpn site. I setup the phase 1 and phase 2 entries and they appear to work fine without the allow firewall rules on wan for UDP 500 and ESP. Is there any reason why I would want to keep the wan rules active? I assume source address would be my remote IP and dest as * for UDP 500 & ESP?
https://doc.pfsense.org/index.php/VPN_Capability_IPsec
-
If you have automatic VPN rules enabled (Check System > Advanced, Firewall/NAT tab) then you don't need to add manual rules as it will put in rules to allow the udp and esp traffic required from the remote peer IP address defined for the tunnel.
-
which is safer? specifically allow traffic from one source or turning the other on?
-
In most cases they will be equivalent. But usually it's safer to disable the automatic rules and make your own.
-
thanks jim