Prevent some LAN devices from being accessable over L2TP/IPsec
-
I had a floating rule in place maybe that OVERULED IT …
so now I can not browse or access the lan ... how do I get browsing back through the vpn ? -
Floating rule, huh.
For connections originating from L2TP clients:
Block specifically what you want to block (Specific LAN host(s))
Pass what you want to pass (any any) -
unless I have this in place nothing works … and with that in place your rules in the L2TP vpn tab wont work..
-
There's no way you need that floating rule - especially since it's direction out. Get rid of it and put a Pass IPv4 any source any dest any rule on L2TP VPN.
You need to make sure:
The L2TP VPN tab contans rules that dictate what you want your L2TP clients to have access to. Since you want them to access the internet over the tunnel, that means block what you don't want them to access and pass everything else.
There is proper outbound NAT on WAN for the L2TP tunnel network.
https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting
-
Thank you for your help in this matter …
I have done that and turned of the Floating rule... and I made sure the NAT has the rules in place... I also did the PASS any rule on the L2TP tab. for now I am not blocking anything in that TAB until I get the Internet to work again... Once the floating rule was turned of so did the Internet turn off for the Remote Client. (I do reset the states after each change)
on NAT I have Hybrid selected to manually and Automatically create rules. No luck -
I put this on my test system last night and I am not convinced there's not something funky going on. Did you set it up like this?
https://doc.pfsense.org/index.php/L2TP/IPsec
-
yes that is what I used … and that is where I was told if traffic is blocked to use the floating rule.
-
That's exactly what I am seeing and was going to post about it. Guess it's a known issue. This L2TP/IPsec is brand new in 2.2 I think. I don't think it was feasible with raccoon.
I'll add the floating rule tonight and see. But, in a nutshell, your IPsec rules need to pass L2TP (UDP 1701), your L2TP VPN needs to pass traffic that you want clients to access (or in your case, block what you don't want them to access and pass everything else. And, I guess, there needs to be a floating rule passing return traffic back out to L2TP clients.
-
thank you very much … i thought I am going to loose my last few hair that I have left. good to know its not just me seeing having a problem there
-
thank you very much … i thought I am going to loose my last few hair that I have left. good to know its not just me seeing having a problem there
any news yet ? I can not block lan access unless I turn of the floating rule. and if I do so I lose also internet access.
-
Sorry. I haven't revisited it. It says right there in the wiki that a floating pass rule on L2TP VPN interface might be necessary.
-
Thank you and yes that is certainly no problem at all. The problem is that after doing so I no longer have the ability to block access to certain LAN devices.
Once the floating rule is in place … you can browse and you can access the entire network. In general that is a good idea... but I need to be able to block some machines from being accessible through the VPN connection. -
Once the floating rule is in place … you can browse and you can access the entire network. In general that is a good idea... but I need to be able to block some machines from being accessible through the VPN connection.
Looking at the wiki, that rule is direction Out. Not really sure how's that affecting you.
-
neither do i .. I just know I can no longer block access to the lan
-
Did you configure this as direction Out and not any? Plus, what's preventing you from using the Source/Destination to restrict this to what you want only?
-
I used out only but when I used ports 53, 80, 443 to allow browsing only on the floating rule it does not work (see sample)
the floating rule only allows internet when any is selected …(see below)
-
And why are those other rules floating? Leave the wiki one as floating direction out and put the rest where it belongs to restrict traffic. I really don't understand how we all of a sudden got to the "to allow browsing only ". You stated the goal is to "prevent some LAN devices from being accessable over L2TP/IPsec". This is the exact opposite direction.
-
my goal is to allow people to browse through the vpn ..but not access the lan network… but to allow browsing I need to turn on the floating rule (TCP any out)
when that is done... I can no longer prevent them from accessing the lan also.... the rules in the l2tp vpn tab no longer works
-
the rules in the l2tp vpn tab no longer works
Yeah, those will never work… since, this tab is completely WRONG side of the tunnel. You need to move to the other firewall on the other end to block access to LAN. Or really dunno what "LAN network" are you talking about. Perhaps draw some diagram what are you trying to block where.
-
i have no other firewall in place only the pfsense unit. I only have VPN connections coming in… and there is no firewall that I know off...