On 1/4/2014 8:49 PM, Ugo Bellavance wrote: > On our setup, we have at least 2 openVPN interfaces (one site-to-site, > one for roaming users). I haven't labeled these interfaces so all my > rules are using the global "OpenVPN" interface, but I think it would be > better if I had one interface per OpenVPN instance. What are the > problems I may get into? I know that once I create the interfaces, the > rules will be to deny all, but is there anything else?
Group rules are considered before per-inteface rules, so your OpenVPN tab rules will match before the per-interface versions. You can assign the OpenVPN interfaces, then enable them, set the IP type to NONE, and then after that you'll need to edit/save each VPN you assign to make sure the VPN reattaches to the interface. There aren't really any negative side effects to assigning them this way, it's just a bit more to manage that most people don't need. Once they are assigned you can give the interface a name, you can have per-interface rules, and so on. If you do put rules on each VPN interface be sure to remove or deactivate the rules on the OpenVPN tab. Jim _______________________________________________ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
