Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Virtual private networks
»
VPN Ruleset
« previous
next »
Print
Pages: [
1
]
Author
Topic: VPN Ruleset (Read 2022 times)
spetrillo
Hero Member
Posts: 721
Karma: 8
VPN Ruleset
«
on:
August 19, 2022, 03:05:17 pm »
Hello all,
I have a S2S VPN up and running on my OPNsense firewall, along with 4 phase 2 tunnels. What I am confused about is what rule do I need that will allow traffic to pass across this VPN. Any examples?
Thanks,
Steve
Logged
nzkiwi68
Full Member
Posts: 182
Karma: 20
Re: VPN Ruleset
«
Reply #1 on:
August 20, 2022, 10:40:06 am »
Add firewalls rules to the Interface called "IPsec" to allow traffic inbound from the other site. Do that at both sides.
Firewall > Rules > IPsec
Firewall rules are added generally to control traffic ENTERING an interface. So, IPsec firewall rule are for traffic arriving down the VPN tunnel from the other side.
Therefore, talking just about site A.
LAN interface firewall rules
are for the traffic that enters the LAN interface. You can use the LAN firewall rules to control what traffic from Site A LAN can go into the VPN tunnel destined for Site B.
IPsec interface firewall rules
are for the traffic from Site B that arrive at Site A firewall. You can use the IPsec firewall rules to control what traffic from Site B can get to what you would like on the firewall at Site A.
I hope that helps.
Logged
spetrillo
Hero Member
Posts: 721
Karma: 8
Re: VPN Ruleset
«
Reply #2 on:
August 20, 2022, 08:16:51 pm »
OK I think I got it, so here goes...
1) On my LAN side I created a rule with the Interface as my LAN interface, direction is out, source is my LAN subnet, and destination is the IPsec subnet. I left the protocol and destination port range as ANY for now.
2) On my IPsec side I created a rule with the Interface as my IPsec interface, direction is in, source is a single host on the other side, and destination is my LAN subnet. I again left the protocol and destination port range as ANY for now.
Did I get this right?
Logged
nzkiwi68
Full Member
Posts: 182
Karma: 20
Re: VPN Ruleset
«
Reply #3 on:
August 21, 2022, 01:10:09 am »
No.
Just leave the direction at the default, which will be in.
You need to think like the firewall. The firewall rule applies to traffic ENTERING the lan interface
from the the firewall's point of view
.
Client > sends packet to yyyyy on port zzzz > arrives (enters) the firewall LAN interface.....
https://docs.opnsense.org/manual/firewall.html
Logged
spetrillo
Hero Member
Posts: 721
Karma: 8
Re: VPN Ruleset
«
Reply #4 on:
August 24, 2022, 08:49:38 pm »
I hear ya...but in my case I would be initiating the traffic to the other side. Do I need to do anything in that case?
For example I want to ping a server on the other side by its private IP. Do I need any other rules?
Logged
spetrillo
Hero Member
Posts: 721
Karma: 8
Re: VPN Ruleset
«
Reply #5 on:
August 30, 2022, 05:17:18 pm »
Ok coming back to this...
1) I have a rule on the IPsec side where the direction is IN, the protocol and source are ANY, the destination is my server subnet, with a port range of ANY.
2) I have a rule on the server subnet side where the direction is IN, the protocol is ANY, the source is the server subnet, with a port range of ANY.
Is this correct and if yes should this allow me to ping to the host on the other side?
Logged
nzkiwi68
Full Member
Posts: 182
Karma: 20
Re: VPN Ruleset
«
Reply #6 on:
November 22, 2022, 01:32:42 am »
Site A, firewall A
Server 192.168.0.1 on an interface called "server"
Site B, firewall B
Device 192.168.100.1 on an interface called "lan"
Site A wants to ping something on Site B in the lan.
Site A, firewall A - rule
Firewall: Rules: SERVER
Allow protocol ICMP from source any to destination 192.168.100.1 allow
Site B, firewall B - rule
Firewall: Rules: IPsec
Allow protocol ICMP from source any to destination 192.168.100.1 allow
That's it!
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Virtual private networks
»
VPN Ruleset
