Reply
New Member
Posts: 33
Registered: ‎10-20-2016
Kudos: 2

site to site vpn firewall rules

I've got a site-to-site VPN (IPSEC) set up from my 10.0.0.0/16 to remote 10.128.0.0/16 

 

I want to block all traffic to my LAN over the IPsec connection, with the exception of the hosts that I allow.  I would have thought this was quite easy but I've tried lots of things and it just seems to allow everything to traverse the link (which I guess is the permissive default)

 

 

Ubiquiti Employee
Posts: 573
Registered: ‎02-13-2018
Kudos: 189
Solutions: 84

Re: site to site vpn firewall rules

If you're using "dynamic routing" (VTI) block the traffic on the source USG on the LAN_IN rules. Make sure you aren't selecting "match IPsec traffic".

This means if you want to block 10.0.0.0/16 --> 10.128.0.0/16 do it on the USG that has the 10.0.0.0/16 network(s). This will ensure you're not sending the traffic over the tunnel only to be blocked on the remote side.

Let me know if I can answer more questions about this for you.
Adam Dipple | UniFi Support Team
New Member
Posts: 33
Registered: ‎10-20-2016
Kudos: 2

Re: site to site vpn firewall rules

Ok, remote is not a USG but rather pfSense (but that shouldn't matter?).  I want to block on my side so that inbound traffic is dropped (ie from 10.128.x.x to 10.0.x.x) except for the machines I allow (I will create a group).

 

I don't have dynamic routing selected. Should I?  

 

Highlighted
Ubiquiti Employee
Posts: 573
Registered: ‎02-13-2018
Kudos: 189
Solutions: 84

Re: site to site vpn firewall rules

Sorry, I assumed that you were using dynamic routing.

You dont have to use dynamic routing, but it does make it easier to configure and troubleshoot. Since you're wanting to block inbound traffic you'll need to change up the location of the rules a little.

Instead of placing rules on LAN_IN you should follow this guide that @ubnt_jaffe wrote for policy-based VPNs. https://community.ubnt.com/t5/UniFi-Routing-Switching/Block-VPN-traffic-into-LAN/m-p/2044180#M55762

If you switch to dynamic you should be able to block that inbound traffic on LAN_OUT instead.
Adam Dipple | UniFi Support Team
New Member
Posts: 33
Registered: ‎10-20-2016
Kudos: 2

Re: site to site vpn firewall rules

Ok, I tried to turn on dynamic routing and my connection went down.  Does it require different configuration on the other end? (It's a pfsense firewall).

Reply