Hi nerds,
I am a proud admin of dozen of pfSense firewalls with many site-to-site and remote access OpenVPN tunnels, all just precisest based on great Lawrence tutorials to nearly perfect state. However I fight now with one situation I cant find an answer in forums, I swear. I need help/link with a trick to make following setup to work.
Currently there is a remote access OpenVPN tunnel setup (used wizard many years back) and it just works as expected. However for more advance policy routing I would now need to assign the opvns1 its own interface. Based on many tutorials and using some common sense, I did this:
assigned the ovpns1 to a new interface OVPN_RA, enabled, disabled monitoring
set new rules for this particular new interface and disabled the default rule for OpenVPN default interface - for a beginning I used allow all
I can still connect to the tunnel, I get a tunnel IP address, I can see in logs it is connected, but I see all other traffic as “!default deny rule”.
So I am wondering which last bit is needed to make this setup to work?
I can reach the pfsense, the firewall for the port is open (was already with the old setup)
I can connect and I can see requests, but not sure where else to enable the traffic as logic tells me that if it is enabled on the new interface and it can create the tunnel, I need to somehow allow traffic to the LAN, which I expected to be the allow all under the new interface…
I found one page very close to mine, but I believe I did follow it and still no traffic allowed to lan.
I spent several hours on this and always restore my working config at the end of the day.
Please if there is a how to somewhere implementing OpenVPN for site-to-site or remote access with dedicated interface, point me to that.
Thanks neogrid,
That is what is dare to say I have. On the new OVPN_RA interface i created rule to allo all traffic (ipv4, all protocols) to LAN. No exception for the beginning. This is pretty much the same rule I had on the standard OpenVPN interface. I have disabled it there as i figured out that the OpenVPN rules are evaluated first and then come evaluation of the specific interface rules. There is only one rule. I can see in logs that it is used.
I do not use vlans. It is a pure WAN / LAN / OPT1 (OVPN_RA).
The reason i am trying to get help here is that i normally wuite follow the logic and i never experienced such strange behavior.
My understanding of the use of dedicated interface for OpenVPN was that it allows me to use its gateway and interface in further rules to narrow down the security. But at this moment i cant get even a basic setup to work. I expected that using the interface will require just “moving” the basic rule from the OpenVPN interface to the new OPT1 (OVPN_RA) and the rest shall stay the same.
I am wondering if there is some NAT necesary to be setup which is done automatically for the default wizard setup but for manually added OVPN interface perhaps it needs to be created? Didnt however find any hint.