Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [SOLVED] OpenVPN firewall rule issue

    Scheduled Pinned Locked Moved Firewalling
    13 Posts 3 Posters 2.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • DerelictD
      Derelict LAYER 8 Netgate
      last edited by

      WAN net is not the internet. WAN net is the subnet on your WAN interface. For all of the internet use any.

      You will want to block local networks/assets you do NOT want these users to have access to with rules above the pass any rule.

      Chattanooga, Tennessee, USA
      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
      Do Not Chat For Help! NO_WAN_EGRESS(TM)

      1 Reply Last reply Reply Quote 0
      • S
        Supay
        last edited by

        @Derelict:

        WAN net is not the internet. WAN net is the subnet on your WAN interface. For all of the internet use any.

        You will want to block local networks/assets you do NOT want these users to have access to with rules above the pass any rule.

        So I am not able to purely specify to pass traffic for those users to only the internet?  I have to allow them access to everything then go through and manually create rules to block access to everything else on the network?  That seems a bit bizarre, why can't I just grant them pass access to the internet?

        1 Reply Last reply Reply Quote 0
        • DerelictD
          Derelict LAYER 8 Netgate
          last edited by

          Think about it.  What are the destination addresses on the internet?

          Yes, maintaining a firewall can be work.

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • S
            Supay
            last edited by

            @Derelict:

            Think about it.  What are the destination addresses on the internet?

            Yes, maintaining a firewall can be work.

            I understand that, I obviously can't list every address on the internet.  But isn't there a means to permit the VPN clients to purely access through the WAN interface to the internet?

            1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate
              last edited by

              No.

              You can usually make an RFC1918 alias and make one rule for that and one for this firewall and catch about everything.

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • S
                Supay
                last edited by

                @Derelict:

                No.

                Thanks for clarifying it.  Can you explain why as I don't understand the technical reason for not being able to permit all traffic outbound on a specific interace regardless of the destination address?

                1 Reply Last reply Reply Quote 0
                • DerelictD
                  Derelict LAYER 8 Netgate
                  last edited by

                  Because it doesn't work that way.  I suppose if you policy-routed that rule out WAN it might be the equivalent. I'd still want the block rules for other local assets.  Someone who knows the internals better than I do would have to speak as to whether simply policy-routing out WAN would be enough.

                  You would absolutely want to uncheck System > Advanced > Miscellaneous tab Skip rules when gateway is down if you are going to rely on policy routing as a security measure. I would advise against it.

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  1 Reply Last reply Reply Quote 0
                  • S
                    Supay
                    last edited by

                    @Derelict:

                    Because it doesn't work that way.  I suppose if you policy-routed that rule out WAN it might be the equivalent. I'd still want the block rules for other local assets.  Someone who knows the internals better than I do would have to speak as to whether simply policy-routing out WAN would be enough.

                    You would absolutely want to uncheck System > Advanced > Miscellaneous tab Skip rules when gateway is down if you are going to rely on policy routing as a security measure. I would advise against it.

                    Thank you for answering, I appreciate it.  As you have likely worked out, I am relatively new to this and trying to improve my knowledge and ability.

                    For my purpose i.e. wanting a group of VPN users to have access to one particular device on my network and internet access, but no access to anything else, would it be effective and efficient to use some form of subnet/VLAN to segregate all of the secure devices onto one to which they have no access while the one device and the WAN interface access sits on another to which they do have access?

                    1 Reply Last reply Reply Quote 0
                    • DerelictD
                      Derelict LAYER 8 Netgate
                      last edited by

                      It doesn't matter where the WAN is.  If you have all the things you want to protect on one network then you can block the access to everything with one rule.

                      But if you have one asset on, say, LAN that you want them to be able to access, just pass access to that one thing then block LAN net then pass any.

                      1. Pass specific local assets you want them to access (specific host on LAN)
                      2. Block more general things you don't want them to access (LAN net, This firewall)
                      3. Pass everything else (the internet)

                      Chattanooga, Tennessee, USA
                      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                      1 Reply Last reply Reply Quote 0
                      • S
                        Supay
                        last edited by

                        @Derelict:

                        It doesn't matter where the WAN is.  If you have all the things you want to protect on one network then you can block the access to everything with one rule.

                        But if you have one asset on, say, LAN that you want them to be able to access, just pass access to that one thing then block LAN net then pass any.

                        1. Pass specific local assets you want them to access (specific host on LAN)
                        2. Block more general things you don't want them to access (LAN net, This firewall)
                        3. Pass everything else (the internet)

                        Thank you so much, that has worked perfectly. That is what I was trying to achieve, I had just wrongly assumed that I would be able to purely open access to just the one local asset and the outbound WAN. I understand now, time to go find something else to break!

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.