Firewall Rules Dont Work when using Cisco VPN

  • Hi All,

    We are using the policy-based routing in our pfsense router. For example, we have blocked a few sites using the Firewall rules. While these rules work fine normally, they stop working when I connect to my client's network using Cisco VPN. When I VPN in, I am able to access all the blocked sites.

    Is there any technical workaround to this issue? Any help is greatly appreciated.


  • I assume you created the block rules on the LAN-interface.
    To block VPN users you need to create the rules on the IPSEC interface too.

    The easiest way to achieve this is to create an alias with all the IP's you want to block and use this alias in both rules.

  • You have to note that the reason this is happening is due to the fact that when you VPN in, you are bypassing your local pfsense gateway and are using the gateway on the VPN side's network.  You will be going out via that gateway's rules.  In your case, it is when using the Cisco VPN.  For others, the same applies when using PPTP to vpn into another site.

    I use this technique quite a bit when I am at a site where the local firewall/router rules from going to particular sites or ports.  I do not believe there is an easy workaround to this other than totally blocking off VPN access to hosts on your network which you don't want having this type of access.

    On a side note, at one site I was recently at, the system administrators cleverly disabled the local user's abilities in creating PPTP vpn tunnels from within Windows.  Of course, if I have a linux boot cd, or some other cd-based bootable media, there'd be no issue. ;)

  • Configure split-tunneling on the Cisco side.  That'll take care of your issue.

Log in to reply