I have been reading through the Book of PF (3rd edition) and other resources on
the web (FAQ), so far so good but I'm hitting some roadblocks. This router I
have built is also acting as a client to an external VPN server, it works and
my client is getting a connection just fine. The problem is that whenever
OpenVPN is active I cannot SSH in from a specific subnet - my pf rules aren't
right. Is there some obvious issue with my rules standing out to you? I
appreciate you looking, thanks.
Topology:
[pfSense Router: 192.168.1.1] (wifi lan subnet 192.168.2.0/24 / ethernet lan
subnet 192.168.1.0/24) ------ Unmanaged Switch ------ [OpenBSD router :
192.168.1.100] (ethernet lan subnet 10.0.0.0/24)
What doesn't work:
pfSense clients on the wifi lan subnet SSH'ing in to the OpenBSD router
(when OpenVPN is active on the OpenBSD router)
My pf.conf:
# Macros for interfaces
wan_interface = "re0"
lan_interface = "em0"
vpn_interface = "tun0"
# Macros for subnets
wan_subnet = "re0:network"
lan_subnet = "em0:network"
wifi_subnet = "192.168.2.0/24"
# Macros for outgoing
tcp_services_out = "{ ssh, smtp, domain, www, pop3, auth, https, pop3s
}"
udp_services_out = "{ domain }"
# Macros for management
management_services = "{ ssh }"
# Macros for incoming
tcp_services_in = "{ ssh }"
udp_services_in = "{ domain }"
###############################################################################
set skip on lo
block log all
set block-policy drop
set loginterface egress
match in all scrub (no-df max-mss 1440 random-id reassemble tcp)
# NAT
match out on $vpn_interface from $lan_subnet nat-to ($vpn_interface:0)
# Stop Non-VPN Access from lan subnet
block out quick log on egress from $lan_subnet to any
################################
# Rules for egress network (re0)
# Diagnostics
pass out on egress inet proto udp to port 33433:33626
pass inet proto icmp from $wan_subnet keep state
# Management
pass quick proto tcp from $wan_subnet to $wan_interface port
$management_services keep state
# Regular
pass quick inet proto tcp from $wan_interface to port $tcp_services_out keep
state
pass quick inet proto udp from $wan_interface to port $udp_services_out keep
state
##############################
# Rules for VPN network (tun0)
# Regular
pass quick inet proto tcp from ($vpn_interface:network) to port
$tcp_services_out keep state
pass quick inet proto udp from ($vpn_interface:network) to port
$udp_services_out keep state
#############################
# Rules for LAN network (em0)
# Diagnostics
pass inet proto icmp from $lan_subnet keep state
# Management
pass quick proto tcp from $lan_subnet to $wan_interface port
$management_services keep state
# Regular
pass proto tcp from $lan_subnet to any port $tcp_services_out keep state
pass proto udp from $lan_subnet to any port $udp_services_out keep state
#######################
# Rules for WIFI subnet
# Diagnostics
pass quick inet proto icmp from $wifi_subnet keep state
# Management
pass quick proto tcp from $wifi_subnet to $wan_interface port
$management_services keep state
