IPsec and firewall rules¶
Outer IPsec Traffic¶
pfSense® software automatically adds hidden firewall rules which allow traffic required to establish enabled IPsec tunnels. The traffic required to establish a tunnel includes:
UDP port
500
(or a custom configured Remote IKE Port on a tunnel)UDP port
4500
(or a custom configured Remote NAT-T Port on a tunnel)The ESP protocol
The automatic rules restrict the source to the Remote Gateway IP address (where possible) destined to the Interface IP address specified in the tunnel configuration. When mobile client support is enabled the same firewall rules are added except with the source set to any.
To override the automatic addition of these rules check Disable all auto-added VPN rules under System > Advanced on the Firewall & NAT tab. When that box is checked firewall rules must be manually added to allow appropriate traffic on the correct interface(s) from the expected source(s).
Tunneled IPsec Traffic from Remote to Local¶
The behavior of firewall rules for traffic inside an IPsec tunnel depends on the IPsec Filter Mode option in the Advanced IPsec Settings.
Filtered on IPsec Tab¶
By default traffic passed inside a tunnel from the remote end is filtered by
rules configured under Firewall > Rules on the IPsec tab (enc0
).
Those rules allow and restrict resources made accessible to remote IPsec users.
Note
By default all traffic from remote VPN hosts is blocked as there are no rules on the IPsec tab until they are manually added by a firewall administrator.
In this default mode traffic for transport and VTI mode tunnels does not always
behave in a desirable way. This mode prevents VTI from using per-interface
rules, NAT, or reply-to
; transport mode can have issues tracking state
properly.
Filtered on Assigned IPsec Interfaces¶
If all tunnels on the firewall are VTI or transport mode, then set the IPsec
Filter Mode to filter on assigned interfaces instead. When set this way,
assigned VTI interfaces can use per-interface rules, NAT, and reply-to
as
one would typically expect. Additionally, transport mode filtering works as
expected with rules on the interfaces involved in transport mode (e.g. WAN,
tunneling protocols like GRE, etc).
The downside of this mode is that all tunnel mode traffic is dropped and only
VTI or transport mode traffic can be filtered as it is handled on separate
interfaces (e.g. ipsec1
, not the shared enc0
interface).
Tunneled IPsec Traffic from Local to Remote¶
To control traffic in the other direction, from local networks to remote IPsec VPN connected devices or networks, use rules on the local interface where the local device resides. For example, connectivity from hosts on LAN to VPN destinations is controlled by rules on the LAN tab.