Route traffic for only a specific IP via the VPN, and block all incoming traffic



  • Dear All,
    I'm getting crazy with this, I have the .ovpn file and my access credentials to a vpn service. I would like to setup my pfsense router to establish the vpn connection and each request coming from the network for a specific ip address xxx.xxx.xxx.xxx to be routed via the vpn.
    In addition to this I would like to block all the traffic incoming from the vpn except the answer to my specific requests (done on a specific port 9000).

    Which howto should I follow for establishing the VPN?
    Can anyone help me on how to setup the FW rules for the above mentioned configuration please?

    Thank you,
    dk





  • Thank you for the link really useful, I actually did not see this post probably because it was brand new!

    Anyway I followed also this tutorial (https://nordvpn.com/tutorials/pfsense/pfsense-openvpn/) for the setup of the VPN and now the VPN is up and running (according to the status) but no traffic allowed.
    I have created a rules in the LAN FW and placed on top of my list:


    | Proto | Source | Port | Destination | Port | Gateway | Queue |
    | IPv4* | LAN Address | * | 172.217.19.174 | * | MyVPN | none |


    Since I want all the traffic to ip 172.217.19.174 to be forwarded via the VPN.
    But it looks like to response is received.
    How do I authorize incoming traffic from the VPN only in response to a previous request coming from my LAN?

    In the MyVPN tab of the FW rules there is no rule.

    Thank you for your support,
    dk



  • @d82k:


    | Proto | Source | Port | Destination | Port | Gateway | Queue |
    | IPv4* | LAN Address | * | 172.217.19.174 | * | MyVPN | none |


    Since I want all the traffic to ip 172.217.19.174 to be forwarded via the VPN.

    LAN Address is the address of the pfSenses LAN interface. You'll have to change this to LAN net to get it work for hosts connected to the LAN interface.

    @d82k:

    How do I authorize incoming traffic from the VPN only in response to a previous request coming from my LAN?

    This is what pfSense do by default by stateful filtering.



  • @viragomann:

    LAN Address is the address of the pfSenses LAN interface. You'll have to change this to LAN net to get it work for hosts connected to the LAN interface.

    I have tried it, and also to place a specific source ip, but nothing changes, I also restarted the vpn but I cannot even ping ip 172.217.19.174.
    Any other suggestion please?

    @viragomann:

    How do I authorize incoming traffic from the VPN only in response to a
    This is what pfSense do by default by stateful filtering.

    Ok I imagined it, so I don't need to place either a "any any deny" rule at the end I suppose…



  • Have you configured an outbound NAT rule for the vpn interface?

    Incoming traffic from vpn has to be explicitly permitted by a firewall rule at OpenVPN tab.



  • @viragomann:

    Have you configured an outbound NAT rule for the vpn interface?

    I don't know why but the link of the tutorial I use was not included, anyway I followed this: http://nordvpn.com/tutorials/pfsense/pfsense-openvpn/
    I had the configuration described in the tutorial and the vpn is up and I receive a virtual address.
    My outbound NAT rules are the same of the picture in the tutorial, I have created them manually but looks the same.

    @viragomann:

    Incoming traffic from vpn has to be explicitly permitted by a firewall rule at OpenVPN tab.

    What do you mean? In the MyVPN tab of the FW rules I tried to allow all traffic to see if it was the issue but nothing…


    | Proto | Source | Port | Destination | Port | Gateway | Queue |
    | IPv4* | * | * | * | * | * | none |



  • LAYER 8 Netgate



  • Thank you Derelict, I realized there was a small error in the NAT outbound table. Fixed it and now it works, the tutorial of the link has been useful really.


    | Proto | Source | Port | Destination | Port | Gateway | Queue |
    | IPv4* | LAN net | * | 172.217.19.174 | * | MyVPN | none |


    only traffic from generated from Lan network and with destination the IP will be forwarded to via VPN, and only relative responses are allowed to enter from the VPN, other incoming traffic from the VPN will be rejected right?


  • LAYER 8 Netgate

    What connections are allowed in from an OpenVPN are governed by the rules on the OpenVPN tab and the OpenVPN assigned interface tab.

    For client connections to VPN providers such as this, they should be treated like rules on WAN. Delete/disable all rules unless you need something passed.

    It sounds like you have a misunderstanding of what it means to be a STATEFUL firewall. Look that up and how it relates to return traffic for an outbound connection state.


Log in to reply