Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How can i block pptp access in lan interface?

    Scheduled Pinned Locked Moved Firewalling
    9 Posts 4 Posters 3.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      ejzhang
      last edited by

      I added a firewall rule in lan interface, but it haven't effect.

      PS:can i input a rule in cli directly without edit pf.conf?
      blockpptp.jpg
      blockpptp.jpg_thumb

      1 Reply Last reply Reply Quote 0
      • M
        mrsense
        last edited by

        Replace LAN address (your destination) with * and it should work.

        1 Reply Last reply Reply Quote 0
        • GruensFroeschliG
          GruensFroeschli
          last edited by

          Destination LAN Adress means exactly that: The address of the LAN-Interface of your pfSense. So only Traffic addressed to the pfSense gets blocked right now.
          To block access to the pptp-subnet, select as destination: pptp-subnet.

          Edit: do you want to block access to pptp clients connecting to pfSense or prohibit your users to establish pptp connections from within your LAN subnet?

          We do what we must, because we can.

          Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

          1 Reply Last reply Reply Quote 0
          • jahonixJ
            jahonix
            last edited by

            This rule is on the LAN tab, therefore ejzhang wants to block outgoing PPTP traffic, right?
            What mrsense posted is correct if you want to block all PPTP traffic from LAN subnet and any origin port to any destination with PPTP port.

            Proto  Source          Port  Destination    Port    Gateway    Schedule    Description 
            TCP      *                  *      *                1723    *

            Traffic not on destination port 1723 can flow freely, of course.

            BTW, what's a PPTP-subnet supposed to be, GrünerFrosch?

            @ejzhang:

            PS:can i input a rule in cli directly without edit pf.conf?

            Nope, you shouldn't do that. It gets overwritten on reboot.

            1 Reply Last reply Reply Quote 0
            • GruensFroeschliG
              GruensFroeschli
              last edited by

              @jahonix:

              BTW, what's a PPTP-subnet supposed to be, GrünerFrosch?

              I think we first need to clarify if the goal of OP is to block outgoing PPTP connections originating from the LAN subnet or if he wants to block access from LAN to clients connected per pptp to the pfSense.

              I assumed the second and pptp-subnet just stands for whatever subnet (or iprange) the clients connecting to the pfSense use.

              We do what we must, because we can.

              Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

              1 Reply Last reply Reply Quote 0
              • jahonixJ
                jahonix
                last edited by

                Thanks for clarifying. We'll see what's the goal  ;-)

                1 Reply Last reply Reply Quote 0
                • E
                  ejzhang
                  last edited by

                  To GruensForeschli:
                  I want prohibit users to establish pptp connections from within your LAN subnet, thanx a lot!

                  1 Reply Last reply Reply Quote 0
                  • M
                    mrsense
                    last edited by

                    @GruensFroeschli:

                    Destination LAN Adress means exactly that: The address of the LAN-Interface of your pfSense. So only Traffic addressed to the pfSense gets blocked right now.
                    To block access to the pptp-subnet, select as destination: pptp-subnet.

                    Edit: do you want to block access to pptp clients connecting to pfSense or prohibit your users to establish pptp connections from within your LAN subnet?

                    I have not considered blocking internal PPTP server, thank's for pointing that out.  However, doesn't pfsense's PPTP server bind to WAN address?  If so, than blocking traffic destined to LAN address:1723 would not stop VPN clients.

                    1 Reply Last reply Reply Quote 0
                    • E
                      ejzhang
                      last edited by

                      To jahonix:
                      I mean is add a rule temporary, i want temporary pass or block some host that not modify configuration file, and discard them at reboot.

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.