Can I use pfblocker to block all incoming traffic, but still use a VPN?



  • Hello everyone, fairly new to pfsense and Im working on a setup for my company. I like the idea of being able to block all incoming connections as there is no need for anyone to be able to connect to our servers remotely, except a small (4) group of people who need to be able to use Splash-top, ftp, webdav, and connect to our 3CX phone system. If I set pfblocker to block all incoming connections, will a VPN still function to get around the blocks? this way the only people who can connect are the few people with the VPN access?



  • Will you be using pfSense as your VPN server or an existing server on your network?



  • I will more than likely be using pfsense for the VPN.



  • pfBlocker just adds firewall rules to the configured interface(s). Firewall rules are deployed as they are shown from the top to the bottom. If a rule matches, the followings are ignored.
    To access your VPN server add a rule to allow this traffic above the blocking rules. It does not matter here if pfSense is your VPN server or another host behind it.



  • @viragomann:

    pfBlocker just adds firewall rules to the configured interface(s). Firewall rules are deployed as they are shown from the top to the bottom. If a rule matches, the followings are ignored.
    To access your VPN server add a rule to allow this traffic above the blocking rules. It does not matter here if pfSense is your VPN server or another host behind it.

    It matters because if you're using an internal, non-pfSense firewall he'd also need to port forward.



  • I guess what im going after is this; Could I close all ports on the router except the ones required for the VPN to function, and then just use the VPN to access our phone, surveilance, and file servers, that way. So this way essentially you must have VPN access to get to anything. To add to that question, I also wanted to know if I could block just about every ip address from being able to connect, unless you have VPN access.

    Hackers are getting nasty, and this is just an added layer of security. I remember logging attempted connections to my FTP server at home, and found that at least 1 person a day would attempt to get in.



  • @justin.j:

    It matters because if you're using an internal, non-pfSense firewall he'd also need to port forward.

    That doesn't matter for the position of an appropriate firewall rule. Port forwarding is basically if you want to access another host behind pfSense, expect the firewall is in bridge mode.

    @relink2013:

    Hello everyone, fairly new to pfsense and Im working on a setup for my company. I like the idea of being able to block all incoming connections as there is no need for anyone to be able to connect to our servers remotely, except a small (4) group of people who need to be able to use Splash-top, ftp, webdav, and connect to our 3CX phone system. If I set pfblocker to block all incoming connections, will a VPN still function to get around the blocks? this way the only people who can connect are the few people with the VPN access?

    pfSense block any incoming connection by default. So if you just open the ports for VPN only in firewall rules you get what you want.
    You just have to care in addition that the return packets of the VPN traffic are routed over VPN connection also.

    If you want you can also block any outgoing traffic except the VPN or what else you need by adapting the LAN interface rule.