Prevent some LAN devices from being accessable over L2TP/IPsec
-
Sorry. I haven't revisited it. It says right there in the wiki that a floating pass rule on L2TP VPN interface might be necessary.
-
Thank you and yes that is certainly no problem at all. The problem is that after doing so I no longer have the ability to block access to certain LAN devices.
Once the floating rule is in place … you can browse and you can access the entire network. In general that is a good idea... but I need to be able to block some machines from being accessible through the VPN connection. -
Once the floating rule is in place … you can browse and you can access the entire network. In general that is a good idea... but I need to be able to block some machines from being accessible through the VPN connection.
Looking at the wiki, that rule is direction Out. Not really sure how's that affecting you.
-
neither do i .. I just know I can no longer block access to the lan
-
Did you configure this as direction Out and not any? Plus, what's preventing you from using the Source/Destination to restrict this to what you want only?
-
I used out only but when I used ports 53, 80, 443 to allow browsing only on the floating rule it does not work (see sample)
the floating rule only allows internet when any is selected …(see below)
-
And why are those other rules floating? Leave the wiki one as floating direction out and put the rest where it belongs to restrict traffic. I really don't understand how we all of a sudden got to the "to allow browsing only ". You stated the goal is to "prevent some LAN devices from being accessable over L2TP/IPsec". This is the exact opposite direction.
-
my goal is to allow people to browse through the vpn ..but not access the lan network… but to allow browsing I need to turn on the floating rule (TCP any out)
when that is done... I can no longer prevent them from accessing the lan also.... the rules in the l2tp vpn tab no longer works
-
the rules in the l2tp vpn tab no longer works
Yeah, those will never work… since, this tab is completely WRONG side of the tunnel. You need to move to the other firewall on the other end to block access to LAN. Or really dunno what "LAN network" are you talking about. Perhaps draw some diagram what are you trying to block where.
-
i have no other firewall in place only the pfsense unit. I only have VPN connections coming in… and there is no firewall that I know off...
-
i have no other firewall in place only the pfsense unit. I only have VPN connections coming in… and there is no firewall that I know off...
Sorry, but floating rule with direction OUT will never apply to inbound traffic to the selected interface. You are doing this upside down. You cannot take the wiki rule as is and start restricting ports/IPs accessible on your LAN.
-
Read the language in the documentation again:
Firewall traffic blocked outbound
If the firewall logs show traffic blocked "out" on L2TP, then add a floating firewall rule to work around the block:
Navigate to Firewall > Rules, Floating tab
Click "+" to add a new rule
Set 'Action to Pass
Check Quick
Select L2TP VPN for the Interface
Set Direction to Out
Set Protocol to TCP
Set Source/Destination as needed, or set to any
Advanced Features:
Set TCP Flags to Any flags
Set State Type to Sloppy StateYou should then control what your L2TP VPN clients can connect to with rules on your L2TP VPN tab. if you only want them to get at TCP/UDP 53, TCP/80, and TCP/443 put those pass rules there. Everything else will be blocked as it enters the firewall from the clients. Except that it doesn't work.
I just tested it. The floating rule is exactly as described above. Direction OUT on L2TP VPN verified. It appears the rules on the L2TP VPN tab are ignored. Yes, I cleared states.
I can still SSH to 172.26.0.100 and the source address is the VPN client address 172.29.7.128.
-
Yeah, of course they will get ignored when you tick the "Quick" checkbox on the floating rule.
-
Direction OUT. The SSH connection is coming IN.
So you're saying the wiki is wrong?
https://doc.pfsense.org/index.php/L2TP/IPsec
And the floating rule is for TCP only. I can still ping 172.26.0.100 despite the reject rule.
-
Sigh…
1/ Check what sloppy state does.
2/ Check the Set Source/Destination as needed - why on earth are you setting that as ANY when it obviously is NOT suitable for the intended purpose??? -
Because without it set to ANY reply traffic to sides is blocked outbound. This is with the rule disabled:
 -
The bottom line is rules on the L2TP VPN tab do not work like they work on every other VPN interface in pfSense. They do not filter traffic coming INTO the firewall from VPN clients at the other end of the tunnel.
For instance, with the floating rule disabled I can still ping 172.26.0.100 despite the explicit block rule on L2TP VPN.
-
I am not telling you to disable the rule. I am telling you to "Set Source/Destination as needed". When access to LAN in unwanted, obviously ANY is not proper?!?!?!?!?!?!?!?!?
-
Explain how, with this explicit block rule, L2TP clients can ping 172.26.0.100. The floating rule only applies to TCP traffic anyway so enabled or disabled makes no difference. Let's forget about TCP and concentrate on ICMP.
 -
All rules on LT2P VPN tab disabled
Floating sloppy rule disabled
Only rule on IPsec tab passes UDP 1701 to WAN address
States clearedCan still ping 172.26.0.100 from L2TP clients.
