Query about the pfSense firewall and OpenVPN
-
Does nobody know if pfSense NAT and firewall rules affect the OpenVPN connection?
-
They dont.
As of right now the OpenVPN connection on pfSense is wide open.
Plans to add firewalling-capabilities of OpenVPN interfaces are in work.Also the OpenVPN is NOT being NATed as long as you dont create a Advanced outbound NAT rule that says this subnet should be NATed.
–>
http://forum.pfsense.org/index.php/topic,7001.0.html -
They dont.
As of right now the OpenVPN connection on pfSense is wide open.
Plans to add firewalling-capabilities of OpenVPN interfaces are in work.Also the OpenVPN is NOT being NATed as long as you dont create a Advanced outbound NAT rule that says this subnet should be NATed.
–>
http://forum.pfsense.org/index.php/topic,7001.0.htmlSo this should mean that all the ports are open when the VPN connection is made? Then how is it i'm able to connect the phone software to our PBX when the firewall is disabled, but unable to connect when it is enabled?
I read that page you linked to in regard to VPN's, could you elaborate on one point. I'm currently using pfSense as a load balancer and have set OpenVPN to only use the WAN connection (not Opt1)
you need to have a rule above your default rule (which has as gateway the loadbalancer)
with desination your VPN-subnet and as gateway the default gateway (displayed as *) NOT the loadbalancer.Where exactly do I need to place this rule? Could you give me an example of what it should look like?
-
Place: at the top above every other rule
Source: subnet-of-interface (LAN?) or any
Destination: OpenVPN-subnet
Gateway: * (<– not the loadbalancer)This rule ensures that traffic destined to the OpenVPN subnet gets not handled by the balancer.
This is because the balancer does not "know" how to reach the openVPN subnet. -
Place: at the top above every other rule
What do you mean by "Place: at the top above every other rule"? I have rules in the NAT section, in the firewall rules section for LAN and WAN and I also have "advanced outbound NAT" rules for load balancing. Which section should I implement this rule in?
-
Under Firewall
The loadbalancer right now is a kind of policy routing.
–> You specify which gateway should be used.
The Loadbalancer is just a "special" kind of gateway.This would be the same as if you had a "all Traffic from LAN goes always out OPT1" rule.
You then need another rule above that says "but traffic destined for openVPN subnet should use the default Gateway* "Is has to be above because
@http://forum.pfsense.org/index.php/topic:Rules are processed from top to down.
If a rule catches the rest of the rules is no longer considered.
Per default a "block all" rule is always in place (invisible below your own rules). -
Under Firewall
ok, but where under firewall? Do I implement this rule in firewall>Rules>LAN or firewall>Rules>WAN?
-
Did you really read the first link i posted?
@http://forum.pfsense.org/index.php/topic:
Traffic is filtered on the Interface on which traffic comes in.
So traffic comming in on the LAN-Interface will only be processed from the rules you define on the LAN tab.It depends on where your server is.
-
GruensFroeschli, I have to give you a big thanks. Your help has pretty much solved the issue I was trying to fix for nearly 3 weeks now. I wasn't sure if the problem was being caused by the phone software or pfSense.
After implementing this rule at the top of the LAN settings pointing all LAN traffic at the the subnet I assigned for the VPN I can now connect through with no issues.
btw, you should add your solution to the wiki on setting up OpenVPN, it really is a step that shouldn't be left out.
thanks again for the time and advice.
-
Gruens that is what i would have told him too. ;D
