Netgate SG-1000 microFirewall

Author Topic: IPSEC VPN restrict access  (Read 253 times)

0 Members and 1 Guest are viewing this topic.

Offline zMaliz

  • Jr. Member
  • **
  • Posts: 59
  • Karma: +2/-0
    • View Profile
IPSEC VPN restrict access
« on: December 21, 2017, 11:59:26 am »
Hi.
I'm looking at creating an IPSEC VPN between home and the office.

Ideally I'd like to restrict this so only 2/3 devices locally (home) use it and from the office they can only access those 2/3 devices.
Is this possible ?  Can someone point me in the right direction.

Thanks

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 10266
  • Karma: +1177/-313
    • View Profile
Re: IPSEC VPN restrict access
« Reply #1 on: December 21, 2017, 12:12:48 pm »
Hi.
I'm looking at creating an IPSEC VPN between home and the office.

Ideally I'd like to restrict this so only 2/3 devices locally (home)

Pass the traffic you want to allow using firewall rules on the LAN interface for the remote VPN destinations.

Then reject LAN net to the VPN destinations.

Ideally this should also be done at the other side for traffic coming into the firewall there but you can generally control it like this too.

Quote
use it and from the office they can only access those 2/3 devices.
Is this possible ?  Can someone point me in the right direction.

Pass the traffic you want passed from the remote sources on the IPsec tab.

Reject everything else (or just let default deny there do it. I prefer reject for internal blocks like this so a negative reply is returned to the source.)
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline zMaliz

  • Jr. Member
  • **
  • Posts: 59
  • Karma: +2/-0
    • View Profile
Re: IPSEC VPN restrict access
« Reply #2 on: December 21, 2017, 04:07:24 pm »
Thanks I'll try this over Christmas and see how I get on..

Offline zMaliz

  • Jr. Member
  • **
  • Posts: 59
  • Karma: +2/-0
    • View Profile
Re: IPSEC VPN restrict access
« Reply #3 on: December 26, 2017, 04:48:29 am »
Thanks for the advice. I'm trying to work out the best way to do this..

So far I've created an alias which contains the internal local IP Addresses I want to access the office via the IPSEC VPN. This alias is called 'OfficeACL'

In Firewall / Rules / IPSec I've added a rule:
Source: 192.168.10.0/24 (office range)
Destination: OfficeACL

In Firewall / Rules / LAN I've added a rule:
Source: OfficeACL
Destination: 192.168.10.0/24  (office range)

Is that right ? will other devices in the local IP Address range be able to get to the office ?

Will other devices in the office be able to get to anything other than OfficeCL devices ?

Thanks

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 10266
  • Karma: +1177/-313
    • View Profile
Re: IPSEC VPN restrict access
« Reply #4 on: December 26, 2017, 01:10:33 pm »
I don't know what "Office" is. What is the IPsec tunnel network or the remote networks?

What is the Local LAN subnet?
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline zMaliz

  • Jr. Member
  • **
  • Posts: 59
  • Karma: +2/-0
    • View Profile
Re: IPSEC VPN restrict access
« Reply #5 on: December 27, 2017, 01:15:30 pm »
I don't know what "Office" is. What is the IPsec tunnel network or the remote networks?

What is the Local LAN subnet?

Hi
Remote office network is 192.168.10.0/24
Local LAN is 192.168.25.0/24

I only want a couple of devices to have access via the VPN and be reachable from the VPN. These have been specified in the Office all

Thanks