Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Firewall LAN rule into "VPN"-Network #167

Open
n3roGit opened this issue Feb 22, 2023 · 3 comments
Open

Firewall LAN rule into "VPN"-Network #167

n3roGit opened this issue Feb 22, 2023 · 3 comments

Comments

@n3roGit
Copy link

n3roGit commented Feb 22, 2023

Hi,
I have a question about your super script.

I was able to get it to run without any problems.
I have built a separate network on the UDM with its own VLAN ID. I set this in the config with "FORCED_SOURCE_IPV4="192.168.66.0/24" as source for my VPN. This works perfectly so far.

But now I would like to access the IPs in the network 192.168.66.0/24 with a rule from my primary network. Unfortunately this does not work as soon as the VPN is up. Do you have a tip, what I have to do here?

@peacey
Copy link
Owner

peacey commented Feb 22, 2023

Hi @n3roGit,

You need to add the local subnets you want to be able to access to EXEMPT_DESTINATIONS_IPV4, or else by default everything goes out the VPN including local traffic.

Please try that and see how it goes.

Thanks!

@n3roGit
Copy link
Author

n3roGit commented Feb 23, 2023

@peacey perfect this works so far.
So that I understand it correctly. The firewall rules of the UDM no longer have any function when I use your script?
After the adjustment, I can now access the new VPN network. However, this now goes in both directions. I want to separate this network completely. nothing should be able to go out. only the access to the vpn.

@peacey
Copy link
Owner

peacey commented Feb 23, 2023

The UDM explicitly forwards only its interfaces to the GUI ruleset. Any additional interfaces you add in command line won't automatically use those Unifi rules. You have two options: you can either add your own custom iptables rules in command line, or you can add the VPN interface to use the Unifi rules so the GUI rules apply to the VPN too.

If you want to make the VPN use the Unifi rules, you can add this snippet to the bottom of your vpn.conf:

hooks_up() {
    iptables -A FORWARD -i $DEV -j UBIOS_LAN_IN_USER
    iptables -A FORWARD -o $DEV -j UBIOS_LAN_OUT_USER
    iptables -A INPUT -i $DEV -j UBIOS_LAN_LOCAL_USER
    ip6tables -A FORWARD -i $DEV -j UBIOS_LAN_IN_USER
    ip6tables -A FORWARD -o $DEV -j UBIOS_LAN_OUT_USER
    ip6tables -A INPUT -i $DEV -j UBIOS_LAN_LOCAL_USER
}

hooks_down() {
    iptables -D FORWARD -i $DEV -j UBIOS_LAN_IN_USER || true
    iptables -D FORWARD -o $DEV -j UBIOS_LAN_OUT_USER || true
    iptables -D INPUT -i $DEV -j UBIOS_LAN_LOCAL_USER || true
    ip6tables -D FORWARD -i $DEV -j UBIOS_LAN_IN_USER || true
    ip6tables -D FORWARD -o $DEV -j UBIOS_LAN_OUT_USER || true
    ip6tables -D INPUT -i $DEV -j UBIOS_LAN_LOCAL_USER || true
}

Then you will be able to use the Unifi GUI to define rules for this VPN network. But note that the rules are only about blocking/allowing traffic. They do not define what gets forwarded or exempted from the VPN, which you need to use FORCED_* and EXEMPT_* variables for in vpn.conf.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants