Query about the pfSense firewall and OpenVPN



  • Ok

    I've got a working connection between a remote PC and the pfSense box in the office usig OpenVPN. From this remote PC I can access the offices network share and ping the IP's in the office.

    We also use virtual soft phones in the office that connect to a PCX to make calls out over our phone lines, but when I install the virtual phone software on the remote PC and try to connect it can't authenticate.

    I've been debugging this issue for a few days thinking it was a problem with the phone software but today I tried just disabling the firewall within pfSense (i.e. at System>Advanced functions>Traffic Shaper and Firewall Advanced>Disable Firewall) and it works. I can connect and authenticate fine and make calls out via the office phone system from a remote location.

    My question is how is the firewall blocking this traffic? and is it possible to Port Forward some ports to be used by OpenVPN?



  • anybody? Is there any way to open up ports to be used by a OpenVPN?



  • Take a look at the firewall log to see what is being blocked - that may give you a clue as to what needs to be allowed through the firewall for the SIP phone to work.

    As for the actual rule for this I do not know as I do not have a SIP phone setup on my system to test it.

    gm…



  • @gmckinney:

    Take a look at the firewall log to see what is being blocked - that may give you a clue as to what needs to be allowed through the firewall for the SIP phone to work.

    As for the actual rule for this I do not know as I do not have a SIP phone setup on my system to test it.

    gm…

    but what i'm asking is does pfSense have the ability to open up ports to be used by OpenVPN? If I find the ports that are being blocked, will adding in port forwarding rules in the firewall work for OpenVPN?



  • Does nobody know if pfSense NAT and firewall rules affect the OpenVPN connection?



  • They dont.
    As of right now the OpenVPN connection on pfSense is wide open.
    Plans to add firewalling-capabilities of OpenVPN interfaces are in work.

    Also the OpenVPN is NOT being NATed as long as you dont create a Advanced outbound NAT rule that says this subnet should be NATed.
    –>
    http://forum.pfsense.org/index.php/topic,7001.0.html



  • @GruensFroeschli:

    They dont.
    As of right now the OpenVPN connection on pfSense is wide open.
    Plans to add firewalling-capabilities of OpenVPN interfaces are in work.

    Also the OpenVPN is NOT being NATed as long as you dont create a Advanced outbound NAT rule that says this subnet should be NATed.
    –>
    http://forum.pfsense.org/index.php/topic,7001.0.html

    So this should mean that all the ports are open when the VPN connection is made? Then how is it i'm able to connect the phone software to our PBX when the firewall is disabled, but unable to connect when it is enabled?

    I read that page you linked to in regard to VPN's, could you elaborate on one point. I'm currently using pfSense as a load balancer and have set OpenVPN to only use the WAN connection (not Opt1)

    @GruensFroeschli:

    you need to have a rule above your default rule (which has as gateway the loadbalancer)
    with desination your VPN-subnet and as gateway the default gateway (displayed as *) NOT the loadbalancer.

    Where exactly do I need to place this rule? Could you give me an example of what it should look like?



  • Place: at the top above every other rule
    Source: subnet-of-interface (LAN?) or any
    Destination: OpenVPN-subnet
    Gateway: * (<– not the loadbalancer)

    This rule ensures that traffic destined to the OpenVPN subnet gets not handled by the balancer.
    This is because the balancer does not "know" how to reach the openVPN subnet.



  • @GruensFroeschli:

    Place: at the top above every other rule

    What do you mean by "Place: at the top above every other rule"? I have rules in the NAT section, in the firewall rules section for LAN and WAN and I also have "advanced outbound NAT" rules for load balancing. Which section should I implement this rule in?



  • Under Firewall
    The loadbalancer right now is a kind of policy routing.
    –> You specify which gateway should be used.
    The Loadbalancer is just a "special" kind of gateway.

    This would be the same as if you had a "all Traffic from LAN goes always out OPT1" rule.
    You then need another rule above that says "but traffic destined for openVPN subnet should use the default Gateway* "

    Is has to be above because
    @http://forum.pfsense.org/index.php/topic:

    Rules are processed from top to down.
    If a rule catches the rest of the rules is no longer considered.
    Per default a "block all" rule is always in place (invisible below your own rules).



  • @GruensFroeschli:

    Under Firewall

    ok, but where under firewall? Do I implement this rule in firewall>Rules>LAN or firewall>Rules>WAN?



  • Did you really read the first link i posted?

    @http://forum.pfsense.org/index.php/topic:

    Traffic is filtered on the Interface on which traffic comes in.
    So traffic comming in on the LAN-Interface will only be processed from the rules you define on the LAN tab.

    It depends on where your server is.



  • GruensFroeschli, I have to give you a big thanks. Your help has pretty much solved the issue I was trying to fix for nearly 3 weeks now. I wasn't sure if the problem was being caused by the phone software or pfSense.

    After implementing this rule at the top of the LAN settings pointing all LAN traffic at the the subnet I assigned for the VPN I can now connect through with no issues.

    btw, you should add your solution to the wiki on setting up OpenVPN, it really is a step that shouldn't be left out.

    thanks again for the time and advice.



  • Gruens that is what i would have told him too. ;D


Locked