Re: [pfSense] pfSense 2.0 - Filtering traffic on OpenVPN
I'm attempting to connect from a client to a device on the LAN which means the traffic should be hitting the filter rule on the OpenVPN tab, which allows all traffic. What client are you using? And from what OS? If you are using Vista/7 remember to run the OpenVPN client as an admin so it can write the routing upon connecting. -Tim ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense 2.0 - Filtering traffic on OpenVPN
On Thu, Oct 13, 2011 at 16:03, Tim Nelson tnel...@rockbochs.com wrote: I would expect it to work this way also. However, I've removed the OPT interfaces corresponding to the OpenVPN servers. Next, I've added one rule to 'Allow all traffic, any protocol, any source, any destination, etc' the OpenVPN tab in the firewall rules page. This should allow all traffic from all clients. However, even after saving, then clearing the state table, I'm not able to pass traffic over any of the OpenVPN links. I should mention, this system was upgraded from 1.2.1 to 2.0-RELEASE. Also, I did *not* uninstall any packages prior to the upgrade (read the upgrade notes afterwards... :/ ). Does this have any relevance? Should I reinstall this system from scratch, then recreate each VPN server/interface? Maybe just delete all the VPN servers, and start fresh? which direction are you trying the connectivity? the rules on the openvpn tab are for connections coming from the remote system to the pfSense box. If you want to connect out from local boxes to the remote system over the vpn then you need appropriate rules on the relavent interface (such as lan) to allow the traffic. -- Regards, The Honeymonster aka Daniel Llewellyn ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense 2.0 - Filtering traffic on OpenVPN
- Original Message - On Thu, Oct 13, 2011 at 16:03, Tim Nelson tnel...@rockbochs.com wrote: I would expect it to work this way also. However, I've removed the OPT interfaces corresponding to the OpenVPN servers. Next, I've added one rule to 'Allow all traffic, any protocol, any source, any destination, etc' the OpenVPN tab in the firewall rules page. This should allow all traffic from all clients. However, even after saving, then clearing the state table, I'm not able to pass traffic over any of the OpenVPN links. I should mention, this system was upgraded from 1.2.1 to 2.0-RELEASE. Also, I did *not* uninstall any packages prior to the upgrade (read the upgrade notes afterwards... :/ ). Does this have any relevance? Should I reinstall this system from scratch, then recreate each VPN server/interface? Maybe just delete all the VPN servers, and start fresh? which direction are you trying the connectivity? the rules on the openvpn tab are for connections coming from the remote system to the pfSense box. If you want to connect out from local boxes to the remote system over the vpn then you need appropriate rules on the relavent interface (such as lan) to allow the traffic. I'm attempting to connect from a client to a device on the LAN which means the traffic should be hitting the filter rule on the OpenVPN tab, which allows all traffic. --Tim ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense 2.0 - Filtering traffic on OpenVPN
Most of the times I have had trouble with the routing and not with the firewall rules. Check if the client has the correct gateway set for the LAN subnet and check if the push route is added correctly. A traceroute from the client can help you see if the packets are being send through the VPN tunnel. If it is actually the firewall blocking, you should be able to see the block in the firewall log. Vassilis ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense 2.0 - Filtering traffic on OpenVPN
- Original Message - In 2.0 each interface is renamed in a unique way so you do not need dev tun or any similar entries in the options. You can assign the interfaces if you want (set an IP type of 'none' on them) and filter individually if you want, too. I run with two of mine assigned and 3+ more unassigned and have no issues. After working on this off and on, I finally found pfSense to handle the rules properly. The issue it seems is that once the OPT interface is created for the OpenVPN service instance, the OpenVPN server needs to be restarted for the OPT to pick up the interface IP address. It will then apply the rules appropriately. My clue was seeing the OPT interfaces on the system dashboard as up (green), but no IP assigned. Thanks Jim and others for your helpful suggestions. --Tim ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense 2.0 - Filtering traffic on OpenVPN
Hi Tim! I havent been using pfsense for very long, but under Firewall-Rules you should have a tab OpenVPN. Try putting there some rules, it works for me. Setting up an extra interface used to be done in older pfsense version, no idea if its still valid. Maybe someone more experienced can give some info on that. Hope it helps! Vassilis ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense 2.0 - Filtering traffic on OpenVPN
Jim Pingle wrote on 12.10.2011 23:55: In 2.0 each interface is renamed in a unique way so you do not need dev tun or any similar entries in the options. You can assign the interfaces if you want (set an IP type of 'none' on them) and filter individually if you want, too. I run with two of mine assigned and 3+ more unassigned and have no issues. Hi Jim Thank you for the info! Would the rules on the assigned tabs have priority over the unassigned OpenVPN Tab? Or is the unassigned Tab bypassed as long as there is a assigned one? I noticed the unique renaming, is it also stable? E.g. ovpns1 will always be the same server as written in () next to it? Vassilis ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list