Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    [SOLVED] OpenVPN firewall rule issue

    Firewalling
    3
    13
    1745
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      Supay last edited by

      Good morning,

      I have an issue with my firewall rules relating to OpenVPN and I am hoping that someone can assist me please?  I imagine it's something minor that I am overlooking, so please put me out of my misery!

      I have setup my OpenVPN and have successfully configured it to work with client specific overrides so that individual users get assigned static IPs.  This all works perfectly and each user is able to gain access and gets the desired IP.

      As I am the owner of the system I have added a firewall rule to the OpenVPN tab which grants my static IP access to everything: this works as intended and I can access all internal network devices and the internet through my WAN interface.

      However, the issue I am having is to do with other users with restricted access.  I have added the static IPs for these users to an alias and set a rule to pass their traffic to a specific IP on my network, as this is the only device I want them to have access to on my network: this works perfectly and these users can only see and access this IP.  This blocked their access to the internet through the WAN though and I want them to have this as well.  I assumed that setting a second firewall rule in the OpenVPN tab to pass their alias to the "WAN net" would work but still no access.  I tried "WAN address" instead, still no access.  I manually tried the WAN gateway IP but still no access.  If I amend the rule to allow access to everything they get internet access through the WAN but of course get the whole internal network again, which I do not want.

      Do I have my destination option set incorrectly?  I was sure it would be one of the WAN options but they just don't work.  Any advice would be greatly appreciated please.

      1 Reply Last reply Reply Quote 0
      • D
        doktornotor Banned last edited by

        Perhaps, you could post screenshots of what you did set up where, instead of describing what you did set up.

        1 Reply Last reply Reply Quote 0
        • S
          Supay last edited by

          @doktornotor:

          Perhaps, you could post screenshots of what you did set up where, instead of describing what you did set up.

          Hi, thanks for replying.  Sorry I haven't posted further since, a crazed toddler has been demanding all attention the last few days.  I have added screenshots of my firewall rule tab summaries to this post.  The aliases are purely containing the static IPs for users on the sources and an alias containing just the IP for my NAS for the destination in the rule to allow them access to that.  As you can see, I added a rule to the OpenVPN tab to allow the alias IPs to access the "WAN net", though I have also tried the "WAN address" option with no success.  I also tried manually setting the WAN gateway IP as a destination but no luck there either.  The only way to let the alias IPs to access the WAN is to allow them to access any destination, then they get back to the internet with no issue.

          If you need anything else, please let me know.






          1 Reply Last reply Reply Quote 0
          • Derelict
            Derelict LAYER 8 Netgate last edited by

            WAN net is not the internet. WAN net is the subnet on your WAN interface. For all of the internet use any.

            You will want to block local networks/assets you do NOT want these users to have access to with rules above the pass any rule.

            1 Reply Last reply Reply Quote 0
            • S
              Supay last edited by

              @Derelict:

              WAN net is not the internet. WAN net is the subnet on your WAN interface. For all of the internet use any.

              You will want to block local networks/assets you do NOT want these users to have access to with rules above the pass any rule.

              So I am not able to purely specify to pass traffic for those users to only the internet?  I have to allow them access to everything then go through and manually create rules to block access to everything else on the network?  That seems a bit bizarre, why can't I just grant them pass access to the internet?

              1 Reply Last reply Reply Quote 0
              • Derelict
                Derelict LAYER 8 Netgate last edited by

                Think about it.  What are the destination addresses on the internet?

                Yes, maintaining a firewall can be work.

                1 Reply Last reply Reply Quote 0
                • S
                  Supay last edited by

                  @Derelict:

                  Think about it.  What are the destination addresses on the internet?

                  Yes, maintaining a firewall can be work.

                  I understand that, I obviously can't list every address on the internet.  But isn't there a means to permit the VPN clients to purely access through the WAN interface to the internet?

                  1 Reply Last reply Reply Quote 0
                  • Derelict
                    Derelict LAYER 8 Netgate last edited by

                    No.

                    You can usually make an RFC1918 alias and make one rule for that and one for this firewall and catch about everything.

                    1 Reply Last reply Reply Quote 0
                    • S
                      Supay last edited by

                      @Derelict:

                      No.

                      Thanks for clarifying it.  Can you explain why as I don't understand the technical reason for not being able to permit all traffic outbound on a specific interace regardless of the destination address?

                      1 Reply Last reply Reply Quote 0
                      • Derelict
                        Derelict LAYER 8 Netgate last edited by

                        Because it doesn't work that way.  I suppose if you policy-routed that rule out WAN it might be the equivalent. I'd still want the block rules for other local assets.  Someone who knows the internals better than I do would have to speak as to whether simply policy-routing out WAN would be enough.

                        You would absolutely want to uncheck System > Advanced > Miscellaneous tab Skip rules when gateway is down if you are going to rely on policy routing as a security measure. I would advise against it.

                        1 Reply Last reply Reply Quote 0
                        • S
                          Supay last edited by

                          @Derelict:

                          Because it doesn't work that way.  I suppose if you policy-routed that rule out WAN it might be the equivalent. I'd still want the block rules for other local assets.  Someone who knows the internals better than I do would have to speak as to whether simply policy-routing out WAN would be enough.

                          You would absolutely want to uncheck System > Advanced > Miscellaneous tab Skip rules when gateway is down if you are going to rely on policy routing as a security measure. I would advise against it.

                          Thank you for answering, I appreciate it.  As you have likely worked out, I am relatively new to this and trying to improve my knowledge and ability.

                          For my purpose i.e. wanting a group of VPN users to have access to one particular device on my network and internet access, but no access to anything else, would it be effective and efficient to use some form of subnet/VLAN to segregate all of the secure devices onto one to which they have no access while the one device and the WAN interface access sits on another to which they do have access?

                          1 Reply Last reply Reply Quote 0
                          • Derelict
                            Derelict LAYER 8 Netgate last edited by

                            It doesn't matter where the WAN is.  If you have all the things you want to protect on one network then you can block the access to everything with one rule.

                            But if you have one asset on, say, LAN that you want them to be able to access, just pass access to that one thing then block LAN net then pass any.

                            1. Pass specific local assets you want them to access (specific host on LAN)
                            2. Block more general things you don't want them to access (LAN net, This firewall)
                            3. Pass everything else (the internet)

                            1 Reply Last reply Reply Quote 0
                            • S
                              Supay last edited by

                              @Derelict:

                              It doesn't matter where the WAN is.  If you have all the things you want to protect on one network then you can block the access to everything with one rule.

                              But if you have one asset on, say, LAN that you want them to be able to access, just pass access to that one thing then block LAN net then pass any.

                              1. Pass specific local assets you want them to access (specific host on LAN)
                              2. Block more general things you don't want them to access (LAN net, This firewall)
                              3. Pass everything else (the internet)

                              Thank you so much, that has worked perfectly. That is what I was trying to achieve, I had just wrongly assumed that I would be able to purely open access to just the one local asset and the outbound WAN. I understand now, time to go find something else to break!

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post

                              Products

                              • Platform Overview
                              • TNSR
                              • pfSense
                              • Appliances

                              Services

                              • Training
                              • Professional Services

                              Support

                              • Subscription Plans
                              • Contact Support
                              • Product Lifecycle
                              • Documentation

                              News

                              • Media Coverage
                              • Press
                              • Events

                              Resources

                              • Blog
                              • FAQ
                              • Find a Partner
                              • Resource Library
                              • Security Information

                              Company

                              • About Us
                              • Careers
                              • Partners
                              • Contact Us
                              • Legal
                              Our Mission

                              We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                              Subscribe to our Newsletter

                              Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                              © 2021 Rubicon Communications, LLC | Privacy Policy