Site-To-Site access by select few

  • I have a network where a site-to-site is setup.  There is one central office and four branch locations.  I'd like to tighten down some rules.  I'd like to have a select few PCs in the central office be able to access branch locations.  Not every PC a central office needs branch office access.

    I have setup an alias with the IPs of the PCs that I want to have access.  In Firewall:Rules:OpenVPN do I simply change the "source" from * to the alias of the allowed PCs or is there something else I'm missing?  I guess the problem is that I'm not sure what direction this rule is based on.  Is the rule out-going or incoming?

    Is there a better way to achieve this then how I'm trying it now?


  • A firewall rule handles the incoming traffic at the interface.
    So if you put this rule on the OpenVPN tab of the branch offices pfSense it would do its job.

    Alternatively you can put it a block rule on central office side, but on LAN interface, which block all traffic from other PCs to the branch office net:

        	 Proto 	Source 	                Port 	 Destination 	        Port 	Gateway 	Queue 	Schedule 	Description 	
    block 	  *    !Allowed_PC_VPN_Access 	* 	 <branch office="" net="">* 	* 	* 	  	none         Block all others</branch> 

  • Perfect.  Thanks for the great explanation.