How to block all traffic except RDP and WOL packages from VPN tunnel?



  • I'm just migration our firewall and router setup from Endian to pfSense 2.2.1.

    At our company we enforce a strict "Remote Desktop only" access policy. Our stuff are allowed to remotely access their desktop PCs at the office using  using RDP over OpenVPN. They are not allowed to access any of the (file) servers from the tunnel. So OpenVPN traffic must be limited to RDP and WOL packages.

    The guy who setup the Endian firewall rules did some weird stuff. Despite trying to block any non-RDP traffic, he additionally created some rules to block access to each of our servers on IP level - most likely because his setup was not working at all.
    That's definitely not the way we want to go now. So I can't recreate his rules with pfSense.
    What I'm recalling, broadcasting WOL packages through the tunnel or firewall was a serious problem with his setup.

    So does anybody have any hints for me?



  • Add an Allow rule for TCP/UDP 3389 on OpenVPN tab for RDP.  I have no idea for WOL or even know what it is.  Lastly, block all else.



  • Thanks. I'll try that.

    WOL = Wake on LAN

    Sends a packet to the broadcast address containing the MAC of the device.



  • So it isn't The Watchtower Online?  ;D

    Just figure out the TCP/UDP ports needed by the service and explicitly allow them.  Block all else.



  • WOL is a layer 2 broadcast technique. But it can have some layer 3 fields in the packet payload, thus looking like a UDP datagram. There are Subnet Directed Broadcasts that with proper support in routers can "relay" WOL packets to the target network where they can be broadcast to wake up stuff.
    Read about it:
    http://en.wikipedia.org/wiki/Wake-on-LAN#Subnet_directed_broadcasts

    But maybe you already have your OpenVPN in tap mode, effectively a bridge to the LAN, so the "dialin" VPN clients can send WOL packets easily to wake their office computers from slumber.



  • Thanks for your response.
    As you mentioned, after some research I understood that I will need TAP for getting broadcasts to work. At the moment I'm fiddling with TAP config problems. So I will return later to this thread after I hopefully solved my basic problems ;)



  • For WOL you can also use the pfSenses "Wake on LAN" function in the GUIs Services menu if pfSense is connected with the broadcast domain, which I assume.

    You can grant access to your users to this GUI tab by adding a user account and set it in the "Effective Privileges".



  • Thanks for your sharing your solution. I already thought of that, but from a user point of view, it seems like a compromise. Some of our employees use the RDP access every day and they wont appreciate another login just for waking up their PC. Despite that, TUN seems to work for us only with "routing" enabled, which requires admin privileges on Windows.
    I hope we find another solution, but I will keep your suggestion in mind.


Log in to reply