Block OpenVPN traffic to lan
-
Hi everyone,
Firstly this is my first post and also the first time I have used pfsense.
I have set up my firewall as a VPN server and so far my test client connects without any issues.
The problem I have is that once connected the VPN client and access all the networks and I only want to be able to access the LAN and not the DMZ from the Client.
The client address range is 192.168.3.0/24
LAN range is 192.168.1.0/24
DMZ range is 172.16.1.0/24If I dont redirect traffic then I can control it with which local networks to access but I want to used traffic redirect so as to get the same public IP address as the VPN server it is as soon as I give this ability that the VPN Client can access all networks.
I am a total novice at this so please excuse the apparent vague explanation and any guidance is greatly received.
Kind regards.
-
If I dont redirect traffic then I can control it with which local networks to access but I want to used traffic redirect so as to get the same public IP address as the VPN server it is as soon as I give this ability that the VPN Client can access all networks.
With "local networks" setting in OpenVPN setup you can just specify the routes which should be pushed to the clients. But this wouldn't deny access to your networks. You can add additional routes to the client so you can access other subnet if it is not inhibited by firewall rules on pfSense.
So access permissions are controlled by firewall rules. I assume you will have an any to any allow rule at your OpenVPN interface. To prevent DMZ access edit this rule, check "not" at Destination area, change type to "DMZ net" and save it.
This rule will permit access to anywhere, but not DMZ subnet.