Hello people,
I have been reading through the 3rd edition of pf and other resources on the
web, so far so good but I'm hitting some roadblocks. This router I have built
is acting as a client to an external VPN server, it works and my client is
getting a connection just fine. The problem is that whenever OpenVPN is active
I cannot SSH in from a specific subnet - my pf rules aren't right. Can someone
do me a massive favour and check this out - see what stupid thing I'm doing is?
Thank you so much in advance!
p.s. Running latest snapshot and pf rules included!
Topology:
[pfSense Router: 192.168.1.1] (wifi lan subnet 192.168.2.0/24 / ethernet lan
subnet 192.168.1.0/24) ------> Unmanaged Switch ------> [OpenBSD router :
192.168.1.100] (ethernet lan subnet 10.0.0.0/24)
What works:
pfSense clients on ethernet lan subnet SSH'ing in to the OpenBSD router
(whether OpenVPN is active or not on the OpenBSD router)
pfSense clients on the wifi lan subnet SSH'ing in to the OpenBSD router
(when OpenVPN is NOT active on the OpenBSD router)
What doesn't work:
pfSense clients on the wifi lan subnet SSH'ing in to the OpenBSD router
(when OpenVPN is active on the OpenBSD router)
My rules:
# Macros for interfaces
wan_interface = "re0"
lan_interface = "em0"
vpn_interface = "tun0"
# Macros for subnets
wan_subnet = "re0:network"
lan_subnet = "em0:network"
wifi_subnet = "192.168.2.0/24"
# Macros for outgoing
tcp_services_out = "{ ssh, smtp, domain, www, pop3, auth, https, pop3s
}"
udp_services_out = "{ domain }"
# Macros for management
management_services = "{ ssh }"
# Macros for incoming
tcp_services_in = "{ ssh }"
udp_services_in = "{ domain }"
###############################################################################
set skip on lo
block log all
set block-policy drop
set loginterface egress
match in all scrub (no-df max-mss 1440 random-id reassemble tcp)
# NAT
match out on $vpn_interface from $lan_subnet nat-to ($vpn_interface:0)
# Stop Non-VPN Access from lan subnet
block out quick log on egress from $lan_subnet to any
################################
# Rules for egress network (re0)
# Diagnostics
pass out on egress inet proto udp to port 33433:33626
pass inet proto icmp from $wan_subnet keep state
# Management
pass quick proto tcp from $wan_subnet to $wan_interface port
$management_services keep state
# Regular
pass quick inet proto tcp from $wan_interface to port $tcp_services_out keep
state
pass quick inet proto udp from $wan_interface to port $udp_services_out keep
state
##############################
# Rules for VPN network (tun0)
# Regular
pass quick inet proto tcp from ($vpn_interface:network) to port
$tcp_services_out keep state
pass quick inet proto udp from ($vpn_interface:network) to port
$udp_services_out keep state
#############################
# Rules for LAN network (em0)
# Diagnostics
pass inet proto icmp from $lan_subnet keep state
# Management
pass quick proto tcp from $lan_subnet to $wan_interface port
$management_services keep state
# Regular
pass proto tcp from $lan_subnet to any port $tcp_services_out keep state
pass proto udp from $lan_subnet to any port $udp_services_out keep state
#######################
# Rules for WIFI subnet
# Diagnostics
pass quick inet proto icmp from $wifi_subnet keep state
# Management
pass quick proto tcp from $wifi_subnet to $wan_interface port
$management_services keep state
