Netgate SG-1000 microFirewall

Author Topic: Add rules to OpenVPN client interface?  (Read 253 times)

0 Members and 1 Guest are viewing this topic.

Offline sporkme

  • Jr. Member
  • **
  • Posts: 91
  • Karma: +0/-0
    • View Profile
Add rules to OpenVPN client interface?
« on: January 26, 2018, 04:11:00 pm »
How does one implement rules on an openvpn client interface?

I went to Interfaces -> Assign and selected/enabled the ovpnc interface of interest, and I now see a rules tab for it in the firewall config section.  I've restarted the vpn connection.  Even with no rules (which is a default block), traffic flows without restriction in both directions.

How do I attach rules to this?

Offline GoldFish

  • Jr. Member
  • **
  • Posts: 54
  • Karma: +2/-0
    • View Profile
Re: Add rules to OpenVPN client interface?
« Reply #1 on: January 26, 2018, 04:33:20 pm »
A picture of rules might help
* pfSense Enthusiast *

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9819
  • Karma: +1107/-311
    • View Profile
Re: Add rules to OpenVPN client interface?
« Reply #2 on: January 26, 2018, 05:37:57 pm »
Rules on the OpenVPN tab are processed first.

If those rules match or block traffic the interface rules are never reached.

If you want the assigned interface rules to be controlling, delete/disable all of the rules on the OpenVPN tab.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline sporkme

  • Jr. Member
  • **
  • Posts: 91
  • Karma: +0/-0
    • View Profile
Re: Add rules to OpenVPN client interface?
« Reply #3 on: January 27, 2018, 12:34:01 pm »
A picture of rules might help

As I said above, there are no rules on this interface, so it should be a default deny/drop.

Anyhow, pics of that and the interface assignments attached.


Offline GoldFish

  • Jr. Member
  • **
  • Posts: 54
  • Karma: +2/-0
    • View Profile
Re: Add rules to OpenVPN client interface?
« Reply #4 on: January 27, 2018, 12:54:24 pm »
What are the rules in OPENVPN tab?
* pfSense Enthusiast *

Offline sporkme

  • Jr. Member
  • **
  • Posts: 91
  • Karma: +0/-0
    • View Profile
Re: Add rules to OpenVPN client interface?
« Reply #5 on: January 27, 2018, 01:49:29 pm »
Rules on the OpenVPN tab are processed first.

If those rules match or block traffic the interface rules are never reached.

If you want the assigned interface rules to be controlling, delete/disable all of the rules on the OpenVPN tab.


This is intriguing, but isn't that tab only for the OpenVPN server, not the client instances?

I mean, if I remove the rules on that tab, where do I put rules for the server instance?

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9819
  • Karma: +1107/-311
    • View Profile
Re: Add rules to OpenVPN client interface?
« Reply #6 on: January 28, 2018, 01:07:00 am »
Quote
I mean, if I remove the rules on that tab, where do I put rules for the server instance?

On the assigned interface for the client or server.

Quote
This is intriguing, but isn't that tab only for the OpenVPN server, not the client instances?


That tab is an interface group of all OpenVPN instances on the node. Both clients and servers.

I say again:

Quote
Rules on the OpenVPN tab are processed first.

If those rules match or block traffic the interface rules are never reached.

If you want the assigned interface rules to be controlling, delete/disable all of the rules on the OpenVPN tab.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline sporkme

  • Jr. Member
  • **
  • Posts: 91
  • Karma: +0/-0
    • View Profile
Re: Add rules to OpenVPN client interface?
« Reply #7 on: January 30, 2018, 06:27:28 pm »
Quote
I mean, if I remove the rules on that tab, where do I put rules for the server instance?

On the assigned interface for the client or server.

Quote
This is intriguing, but isn't that tab only for the OpenVPN server, not the client instances?


That tab is an interface group of all OpenVPN instances on the node. Both clients and servers.

I say again:

Quote
Rules on the OpenVPN tab are processed first.

If those rules match or block traffic the interface rules are never reached.

If you want the assigned interface rules to be controlling, delete/disable all of the rules on the OpenVPN tab.

I know you keep saying, but consider perhaps your understanding is incorrect.

Right now there's a pass all rule on the OpenVPN server interface.  I have added a "log packets matching..." checkbox on this rule.  There is traffic passing over the OpenVPN client interfaces.  It is not being logged.  Explain why no traffic matches if that rule overrides the client rules (which are still empty, which should be a deny all).

Also what sense would it make to have interface rules for each client instance if the rules have no effect?

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9819
  • Karma: +1107/-311
    • View Profile
Re: Add rules to OpenVPN client interface?
« Reply #8 on: January 30, 2018, 06:46:53 pm »
Demanding much?

Post both sets of rules. OpenVPN tab and the assigned interface.

Describe specifically what is the client and what is the server and what specific traffic you think is misbehaving. Details, like specific addresses and ports.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM