Jump to content



Photo

Setting up a VPN

pfsense firewall vpn remote

  • Please log in to reply
37 replies to this topic

#31 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 85
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 01 August 2012 - 15:55

are you running host firewalls on your other devices? if so you would have to allow traffic on the ports you want from the 10.0.200 network. Also I have changed my pfsense lan rule to be any vs lan net. I was having issues doing something, which I don't recall exactly what now with vpn clients, and changing it to any for the lan interface rules fixed it.

lanrules.jpg

See my note and how the lan source is * vs lan net, I don't recall exactly why now though. Something was not working, I would have to set it back to see what doesn't work to refresh my memory. But I do recall changing source for something I was trying to do - which now works, just don't recall what it was ;)

edit: as to shares working over the vpn, yeah work just fine - you might want to allow netbios on your openvpn config. And most likely have to auth, but see I am here at work, and I can access shares off my home workstation

D:\>net view \\i5-w7
System error 5 has occurred.

Access is denied.

D:\>net use \\i5-w7\ipc$ /u:i5-w7\budman
The password or user name is invalid for \\i5-w7\ipc$.

Enter the password for 'i5-w7\budman' to connect to 'i5-w7':
The command completed successfully.

D:\>net view \\i5-w7
Shared resources at \\i5-w7

Share name   Type   Used as  Comment
-------------------------------------------------------------------------------
Deskjet6500  Print		   HP Deskjet 6500 Series
test		 Disk
The command completed successfully.


Just had to auth - since my workstation is not using a budman account ;) with same password.

edit: Also what are the details of your weatherstation - I have been thinking of setting one up, curious what yours is and what you do with it, etc. etc..


#32 OP Lilrich

Lilrich

    Apple Fan-Boi

  • Joined: 31-October 06

Posted 01 August 2012 - 20:17

Budman i have attached my firewall rules i cant see any proto IPV4 or IPV6 did you have to add these?

firewall.png

#33 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 85
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 01 August 2012 - 20:31

Im running ipv6, those that breaks it up.. Se your rule above your block from source 192.168.33.252, that is your lan allow.

I don't see how that block is working though? because 192.168.33.252 falls into your lan net, and would be allowed access before it hits the block. If you want to block that IP from using the internet on tcp, then you need to put that above your lan net rule.

And you really have duplicate rules there, one with lan net as source (which is your 192.168.33.0/24) and then that last rule which is any any. And your rules for 45631 and 21 are also not needed since they would fall under that lan net rule. Unless they were coming from different network than your lan net?

Rules go down in order from top, first rule that hits is one that is applied - be it allowed or blocked. Notice in my lan rules the ones for .41 address - I allow it access only to the websense stuff, then I block its access for anything else! So if say .23 comes it, he goes past all those rules until he hits my allow rule.

#34 OP Lilrich

Lilrich

    Apple Fan-Boi

  • Joined: 31-October 06

Posted 01 August 2012 - 20:51

What about this

firewall2.png

#35 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 85
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 02 August 2012 - 12:43

Again, not sure why you have 2 rules there

Unless you have something with UDP going on, you let anything out TCP. Then next rule is anything *, so that would include tcp and udp coming from your lan net can go anywhere.

You really only need one rule, not now sure on the details - but like I said for something I was trying to do with vpn, I changed the default rule from lan net to *, which kind of like the rule you have above the lan net rule, only you change proto to TCP only - not sure why?

#36 OP Lilrich

Lilrich

    Apple Fan-Boi

  • Joined: 31-October 06

Posted 02 August 2012 - 12:51

Again, not sure why you have 2 rules there

Unless you have something with UDP going on, you let anything out TCP. Then next rule is anything *, so that would include tcp and udp coming from your lan net can go anywhere.


I have removed this, see my updated post below.

You really only need one rule, not now sure on the details - but like I said for something I was trying to do with vpn, I changed the default rule from lan net to *, which kind of like the rule you have above the lan net rule, only you change proto to TCP only - not sure why?


I know what had happened here, when i was reading your rules table i saw that it said IPV4* i got confused and thought that this was something that it wasn't, it wasn't until later that i found out you were running IPV6 that is why you got them options. I now notice that the IPV4 on my setup is just * as i am not running IPV6.

firewall.png

#37 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 85
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 03 August 2012 - 12:23

So pretty much your wide open there outbound, if you want to block some of your machines - put them blocked above that rule

So is your openvpn doing everything you want it to do?

#38 OP Lilrich

Lilrich

    Apple Fan-Boi

  • Joined: 31-October 06

Posted 04 August 2012 - 09:49

I have made some changes to the firewall to block some clients between certain times.

OpenVPN seems to be doing everything that i want for the time being, i am sure if i come accross something i will be back to ask :)

Thanks for your help.



Click here to login or here to register to remove this ad, it's free!