Prevent some LAN devices from being accessable over L2TP/IPsec
-
I got all working and I am able to access the Internet and LAN devices through my L2TP/IPsec VPN connection. Now how do I prevent one of the VPN Client connection to access lets say 192.168.1.3 but still be able to browse the internet through its VPN ?
-
Block the traffic on Firewall > Rules,
IPsecL2TP VPN tab -
thank you … I did that und used destination "Single host or alias" but I have still full access to the ip from the L2TP vpn side
-
Show exactly what you did. And rules only apply to new states so you have to clear old states or existing connections aren't blocked.
-
here is what I have ….
-
You are passing no traffic. L2TP clients shouldn't be able to access anything over the tunnel. Where are you testing from?
-
I am testing it from an L2TP/IPsec connected Client (Outside my network)
all I am trying to achieve is to get the VPN client to access the Internet through its VPN without having to have access to the LAN side..
-
Nothing should be passing. Something must not be how you think it is.
-
well I can access lan devices from my outside VPN connection (e.g WEB GUI and such) but I can also browse (which is what I wanted…) the only thing is LAN devices are not blocked from accessing..
-
You shouldn't be able to access anything.
-
I had a floating rule in place maybe that OVERULED IT …
so now I can not browse or access the lan ... how do I get browsing back through the vpn ? -
Floating rule, huh.
For connections originating from L2TP clients:
Block specifically what you want to block (Specific LAN host(s))
Pass what you want to pass (any any) -
unless I have this in place nothing works … and with that in place your rules in the L2TP vpn tab wont work..
-
There's no way you need that floating rule - especially since it's direction out. Get rid of it and put a Pass IPv4 any source any dest any rule on L2TP VPN.
You need to make sure:
The L2TP VPN tab contans rules that dictate what you want your L2TP clients to have access to. Since you want them to access the internet over the tunnel, that means block what you don't want them to access and pass everything else.
There is proper outbound NAT on WAN for the L2TP tunnel network.
https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting
-
Thank you for your help in this matter …
I have done that and turned of the Floating rule... and I made sure the NAT has the rules in place... I also did the PASS any rule on the L2TP tab. for now I am not blocking anything in that TAB until I get the Internet to work again... Once the floating rule was turned of so did the Internet turn off for the Remote Client. (I do reset the states after each change)
on NAT I have Hybrid selected to manually and Automatically create rules. No luck -
I put this on my test system last night and I am not convinced there's not something funky going on. Did you set it up like this?
https://doc.pfsense.org/index.php/L2TP/IPsec
-
yes that is what I used … and that is where I was told if traffic is blocked to use the floating rule.
-
That's exactly what I am seeing and was going to post about it. Guess it's a known issue. This L2TP/IPsec is brand new in 2.2 I think. I don't think it was feasible with raccoon.
I'll add the floating rule tonight and see. But, in a nutshell, your IPsec rules need to pass L2TP (UDP 1701), your L2TP VPN needs to pass traffic that you want clients to access (or in your case, block what you don't want them to access and pass everything else. And, I guess, there needs to be a floating rule passing return traffic back out to L2TP clients.
-
thank you very much … i thought I am going to loose my last few hair that I have left. good to know its not just me seeing having a problem there
-
thank you very much … i thought I am going to loose my last few hair that I have left. good to know its not just me seeing having a problem there
any news yet ? I can not block lan access unless I turn of the floating rule. and if I do so I lose also internet access.