IPsec and firewall rules

Outer IPsec Traffic

pfSense® software automatically adds hidden firewall rules which allow traffic required to establish enabled IPsec tunnels. The traffic required to establish a tunnel includes:

  • UDP port 500 (or a custom configured Remote IKE Port on a tunnel)

  • UDP port 4500 (or a custom configured Remote NAT-T Port on a tunnel)

  • The ESP protocol

The automatic rules restrict the source to the Remote Gateway IP address (where possible) destined to the Interface IP address specified in the tunnel configuration. When mobile client support is enabled the same firewall rules are added except with the source set to any.

To override the automatic addition of these rules check Disable all auto-added VPN rules under System > Advanced on the Firewall & NAT tab. When that box is checked firewall rules must be manually added to allow appropriate traffic on the correct interface(s) from the expected source(s).

Tunneled IPsec Traffic from Remote to Local

The behavior of firewall rules for traffic inside an IPsec tunnel depends on the IPsec Filter Mode option in the Advanced IPsec Settings.

Filtered on IPsec Tab

By default traffic passed inside a tunnel from the remote end is filtered by rules configured under Firewall > Rules on the IPsec tab (enc0). Those rules allow and restrict resources made accessible to remote IPsec users.

Note

By default all traffic from remote VPN hosts is blocked as there are no rules on the IPsec tab until they are manually added by a firewall administrator.

In this default mode traffic for transport and VTI mode tunnels does not always behave in a desirable way. This mode prevents VTI from using per-interface rules, NAT, or reply-to; transport mode can have issues tracking state properly.

Filtered on Assigned IPsec Interfaces

If all tunnels on the firewall are VTI or transport mode, then set the IPsec Filter Mode to filter on assigned interfaces instead. When set this way, assigned VTI interfaces can use per-interface rules, NAT, and reply-to as one would typically expect. Additionally, transport mode filtering works as expected with rules on the interfaces involved in transport mode (e.g. WAN, tunneling protocols like GRE, etc).

The downside of this mode is that all tunnel mode traffic is dropped and only VTI or transport mode traffic can be filtered as it is handled on separate interfaces (e.g. ipsec1, not the shared enc0 interface).

Tunneled IPsec Traffic from Local to Remote

To control traffic in the other direction, from local networks to remote IPsec VPN connected devices or networks, use rules on the local interface where the local device resides. For example, connectivity from hosts on LAN to VPN destinations is controlled by rules on the LAN tab.