-
Notifications
You must be signed in to change notification settings - Fork 56
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Firewall LAN rule into "VPN"-Network #167
Comments
Hi @n3roGit, You need to add the local subnets you want to be able to access to EXEMPT_DESTINATIONS_IPV4, or else by default everything goes out the VPN including local traffic. Please try that and see how it goes. Thanks! |
@peacey perfect this works so far. |
The UDM explicitly forwards only its interfaces to the GUI ruleset. Any additional interfaces you add in command line won't automatically use those Unifi rules. You have two options: you can either add your own custom iptables rules in command line, or you can add the VPN interface to use the Unifi rules so the GUI rules apply to the VPN too. If you want to make the VPN use the Unifi rules, you can add this snippet to the bottom of your vpn.conf: hooks_up() {
iptables -A FORWARD -i $DEV -j UBIOS_LAN_IN_USER
iptables -A FORWARD -o $DEV -j UBIOS_LAN_OUT_USER
iptables -A INPUT -i $DEV -j UBIOS_LAN_LOCAL_USER
ip6tables -A FORWARD -i $DEV -j UBIOS_LAN_IN_USER
ip6tables -A FORWARD -o $DEV -j UBIOS_LAN_OUT_USER
ip6tables -A INPUT -i $DEV -j UBIOS_LAN_LOCAL_USER
}
hooks_down() {
iptables -D FORWARD -i $DEV -j UBIOS_LAN_IN_USER || true
iptables -D FORWARD -o $DEV -j UBIOS_LAN_OUT_USER || true
iptables -D INPUT -i $DEV -j UBIOS_LAN_LOCAL_USER || true
ip6tables -D FORWARD -i $DEV -j UBIOS_LAN_IN_USER || true
ip6tables -D FORWARD -o $DEV -j UBIOS_LAN_OUT_USER || true
ip6tables -D INPUT -i $DEV -j UBIOS_LAN_LOCAL_USER || true
} Then you will be able to use the Unifi GUI to define rules for this VPN network. But note that the rules are only about blocking/allowing traffic. They do not define what gets forwarded or exempted from the VPN, which you need to use |
Hi,
I have a question about your super script.
I was able to get it to run without any problems.
I have built a separate network on the UDM with its own VLAN ID. I set this in the config with "FORCED_SOURCE_IPV4="192.168.66.0/24" as source for my VPN. This works perfectly so far.
But now I would like to access the IPs in the network 192.168.66.0/24 with a rule from my primary network. Unfortunately this does not work as soon as the VPN is up. Do you have a tip, what I have to do here?
The text was updated successfully, but these errors were encountered: