Re: [pfSense Support] Filter Rules for OpenVPN connections

Wed, 14 Oct 2009 08:23:44 -0700 

Hi Joseph

Thans for the fast reply, i think i undertand the idea, but:

How can i create an OPT interface assigned to a tun interface?
If i do: Interfaces -> assign -> add interface i can create an OPT interface, but i the dropdown i have my phisical interfaces an a plip0 
What am i doing wrong?

Andy

Joseph L. Casale wrote:

We have several Road Warrior stile open VPN Users. Today they are
directly routed to the LAN interface without any Filter Rules.
New security policies request that we restrict some of the OpenVPN Users.

It's a bit unclear to me how this can be done.


Create an OPT interface (do not assign this to a vlan, assign it to a
persistent tun interface). The notion of vlan provides nothing here, also
needs to be assigned to the persistent tun device here.


- Based on their CN we assign them fix ip adresses.
- We understand that we can do outgoing rules on the LAN interface


Setup the OpenVPN connection to hand out a unique range of IP's such as
192.168.100.0/24. Also setup a Custom Option of "dev tun0" for example
(This gets assigned to the OPT interface *after* you save the vpn config
and it is created).

Setup a Client-specific Config that hands out a unique block of that above
reserved space, like:

Common name: jcasale
Interface IP: 192.168.100.4/30
Some Ops if you need them, like: push "route 192.168.1.0 255.255.255.0"

Common name: jdoe
Interface IP: 192.168.100.8/30
Some Ops if you need them, like: push "route 192.168.10.0 255.255.255.0"

Common name: fbar
Interface IP: 192.168.100.12/30
Some Ops if you need them, like: push "route 192.168.10.0 255.255.255.0"


But how can we do incoming rules for those users, is it possible to
create an interface to assign the rules for them?


Now, setup rules on the outbound side of the OPT interface allowing
192.168.100.4/30 access to whatever it needs.

HTH,
jlc

---------------------------------------------------------------------
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org



--
** <http://www.aironaut.ch/>      *Andreas Fuchs*
Consultant/System Engineer      Allmend 31
3504 Niederhünigen      office:  +41 31 508 18 16
mobile: +41 78 740 93 80
f...@tcnet.ch <mailto:f...@tcnet.ch>
www.aironaut.ch <http://www.aironaut.ch/>

Reply via email to