VPN Ruleset

Started by spetrillo, August 19, 2022, 03:05:17 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
August 19, 2022, 03:05:17 PM
Hello all,

I have a S2S VPN up and running on my OPNsense firewall, along with 4 phase 2 tunnels. What I am confused about is what rule do I need that will allow traffic to pass across this VPN. Any examples?

Thanks,
Steve
August 20, 2022, 10:40:06 AM #1
Add firewalls rules to the Interface called "IPsec" to allow traffic inbound from the other site. Do that at both sides.

Firewall > Rules > IPsec

Firewall rules are added generally to control traffic ENTERING an interface. So, IPsec firewall rule are for traffic arriving down the VPN tunnel from the other side.

Therefore, talking just about site A.

LAN interface firewall rules are for the traffic that enters the LAN interface. You can use the LAN firewall rules to control what traffic from Site A LAN can go into the VPN tunnel destined for Site B.

IPsec interface firewall rules are for the traffic from Site B that arrive at Site A firewall. You can use the IPsec firewall rules to control what traffic from Site B can get to what you would like on the firewall at Site A.


I hope that helps.
August 20, 2022, 08:16:51 PM #2
OK I think I got it, so here goes...

1) On my LAN side I created a rule with the Interface as my LAN interface, direction is out, source is my LAN subnet, and destination is the IPsec subnet. I left the protocol and destination port range as ANY for now.
2) On my IPsec side I created a rule with the Interface as my IPsec interface, direction is in, source is a single host on the other side, and destination is my LAN subnet. I again left the protocol and destination port range as ANY for now.

Did I get this right?
August 21, 2022, 01:10:09 AM #3
No.

Just leave the direction at the default, which will be in.

You need to think like the firewall. The firewall rule applies to traffic ENTERING the lan interface from the the firewall's point of view.

Client > sends packet to yyyyy on port zzzz > arrives (enters) the firewall LAN interface.....

https://docs.opnsense.org/manual/firewall.html
August 24, 2022, 08:49:38 PM #4
I hear ya...but in my case I would be initiating the traffic to the other side. Do I need to do anything in that case?

For example I want to ping a server on the other side by its private IP. Do I need any other rules?
August 30, 2022, 05:17:18 PM #5
Ok coming back to this...

1) I have a rule on the IPsec side where the direction is IN, the protocol and source are ANY, the destination is my server subnet, with a port range of ANY.
2) I have a rule on the server subnet side where the direction is IN, the protocol is ANY, the source is the server subnet, with a port range of ANY.

Is this correct and if yes should this allow me to ping to the host on the other side?
November 22, 2022, 01:32:42 AM #6
Site A, firewall A
Server 192.168.0.1 on an interface called "server"

Site B, firewall B
Device 192.168.100.1 on an interface called "lan"

Site A wants to ping something on Site B in the lan.

Site A, firewall A - rule
Firewall: Rules: SERVER
Allow protocol ICMP from source any to destination 192.168.100.1 allow

Site B, firewall B - rule
Firewall: Rules: IPsec
Allow protocol ICMP from source any to destination 192.168.100.1 allow


That's it!


Print
Go Up Pages1
User actions