How can i block pptp access in lan interface?



  • I added a firewall rule in lan interface, but it haven't effect.

    PS:can i input a rule in cli directly without edit pf.conf?



  • Replace LAN address (your destination) with * and it should work.



  • Destination LAN Adress means exactly that: The address of the LAN-Interface of your pfSense. So only Traffic addressed to the pfSense gets blocked right now.
    To block access to the pptp-subnet, select as destination: pptp-subnet.

    Edit: do you want to block access to pptp clients connecting to pfSense or prohibit your users to establish pptp connections from within your LAN subnet?



  • This rule is on the LAN tab, therefore ejzhang wants to block outgoing PPTP traffic, right?
    What mrsense posted is correct if you want to block all PPTP traffic from LAN subnet and any origin port to any destination with PPTP port.

    Proto  Source          Port  Destination    Port    Gateway    Schedule    Description 
    TCP      *                  *      *                1723    *

    Traffic not on destination port 1723 can flow freely, of course.

    BTW, what's a PPTP-subnet supposed to be, GrünerFrosch?

    @ejzhang:

    PS:can i input a rule in cli directly without edit pf.conf?

    Nope, you shouldn't do that. It gets overwritten on reboot.



  • @jahonix:

    BTW, what's a PPTP-subnet supposed to be, GrünerFrosch?

    I think we first need to clarify if the goal of OP is to block outgoing PPTP connections originating from the LAN subnet or if he wants to block access from LAN to clients connected per pptp to the pfSense.

    I assumed the second and pptp-subnet just stands for whatever subnet (or iprange) the clients connecting to the pfSense use.



  • Thanks for clarifying. We'll see what's the goal  ;-)



  • To GruensForeschli:
    I want prohibit users to establish pptp connections from within your LAN subnet, thanx a lot!



  • @GruensFroeschli:

    Destination LAN Adress means exactly that: The address of the LAN-Interface of your pfSense. So only Traffic addressed to the pfSense gets blocked right now.
    To block access to the pptp-subnet, select as destination: pptp-subnet.

    Edit: do you want to block access to pptp clients connecting to pfSense or prohibit your users to establish pptp connections from within your LAN subnet?

    I have not considered blocking internal PPTP server, thank's for pointing that out.  However, doesn't pfsense's PPTP server bind to WAN address?  If so, than blocking traffic destined to LAN address:1723 would not stop VPN clients.



  • To jahonix:
    I mean is add a rule temporary, i want temporary pass or block some host that not modify configuration file, and discard them at reboot.


Log in to reply