Hello people, I have been reading through the 3rd edition of pf and other resources on the web, so far so good but I'm hitting some roadblocks. This router I have built is acting as a client to an external VPN server, it works and my client is getting a connection just fine. The problem is that whenever OpenVPN is active I cannot SSH in from a specific subnet - my pf rules aren't right. Can someone do me a massive favour and check this out - see what stupid thing I'm doing is? Thank you so much in advance!
p.s. Running latest snapshot and pf rules included! Topology: [pfSense Router: 192.168.1.1] (wifi lan subnet 192.168.2.0/24 / ethernet lan subnet 192.168.1.0/24) ------> Unmanaged Switch ------> [OpenBSD router : 192.168.1.100] (ethernet lan subnet 10.0.0.0/24) What works: pfSense clients on ethernet lan subnet SSH'ing in to the OpenBSD router (whether OpenVPN is active or not on the OpenBSD router) pfSense clients on the wifi lan subnet SSH'ing in to the OpenBSD router (when OpenVPN is NOT active on the OpenBSD router) What doesn't work: pfSense clients on the wifi lan subnet SSH'ing in to the OpenBSD router (when OpenVPN is active on the OpenBSD router) My rules: # Macros for interfaces wan_interface = "re0" lan_interface = "em0" vpn_interface = "tun0" # Macros for subnets wan_subnet = "re0:network" lan_subnet = "em0:network" wifi_subnet = "192.168.2.0/24" # Macros for outgoing tcp_services_out = "{ ssh, smtp, domain, www, pop3, auth, https, pop3s }" udp_services_out = "{ domain }" # Macros for management management_services = "{ ssh }" # Macros for incoming tcp_services_in = "{ ssh }" udp_services_in = "{ domain }" ############################################################################### set skip on lo block log all set block-policy drop set loginterface egress match in all scrub (no-df max-mss 1440 random-id reassemble tcp) # NAT match out on $vpn_interface from $lan_subnet nat-to ($vpn_interface:0) # Stop Non-VPN Access from lan subnet block out quick log on egress from $lan_subnet to any ################################ # Rules for egress network (re0) # Diagnostics pass out on egress inet proto udp to port 33433:33626 pass inet proto icmp from $wan_subnet keep state # Management pass quick proto tcp from $wan_subnet to $wan_interface port $management_services keep state # Regular pass quick inet proto tcp from $wan_interface to port $tcp_services_out keep state pass quick inet proto udp from $wan_interface to port $udp_services_out keep state ############################## # Rules for VPN network (tun0) # Regular pass quick inet proto tcp from ($vpn_interface:network) to port $tcp_services_out keep state pass quick inet proto udp from ($vpn_interface:network) to port $udp_services_out keep state ############################# # Rules for LAN network (em0) # Diagnostics pass inet proto icmp from $lan_subnet keep state # Management pass quick proto tcp from $lan_subnet to $wan_interface port $management_services keep state # Regular pass proto tcp from $lan_subnet to any port $tcp_services_out keep state pass proto udp from $lan_subnet to any port $udp_services_out keep state ####################### # Rules for WIFI subnet # Diagnostics pass quick inet proto icmp from $wifi_subnet keep state # Management pass quick proto tcp from $wifi_subnet to $wan_interface port $management_services keep state