Filtering VPN networks may be a difficult task to do. You are trying to combine the goal to connect two networks, but allow only limited access for some servers or clients. This page is going to give you a few best practises about how to do things and right and shows some common use cases.

The default settings

By default, IPFire grants you to access anything on the remote site and the remote site is granted to access any resource on your local network. This is usually the kind of connection users want if they fully trust the remote party. If there is any doubt, you should consider to restrict access with help of the IPFire firewall.

Step 1: Blocking all remote access

The first step is always to block the entire remote traffic and then add more rules that release this restriction a little bit again.

For blocking, create an new firewall rule and select the remote site as source and your local network (e.g. GREEN) as destination. Pick the DROP or REJECT action and hit "Add".

Now all packets originating from the remote network are not allowed to pass through to your local network any more. You got a one-directional VPN now, as you are still permitted to connect to the remote site from your local network. The returning packets are automatically recognized by the connection tracking and allowed to pass. If you don't want that, add an other block rule like the one above, but swap source and destination.

Step 2: Releasing restrictions

Now you want to grant access from your entire local network or host to a remote host or a part of the network. In order to realise this, you simply need to create a new rule with the desired source and destination hosts or networks, possibly limit the protocol and ports, select ACCEPT as rule action and save.

Note, that it is very important that this new rule comes before the blocking rules. Use the arrows to put it to the right position. All firewall rules are evaluated from top to bottom and it is stopped as soon as the first rule matches!

For professionals: IP masquerading

In some cases, it makes sense to hide the originating IP address. Reasons may be privacy or simply to make routing a bit easier. For that the ACCEPT rules created above can be edited and Source NAT can be enabled. Simply select the corresponding IP address of the local VPN subnet. Doing this, it appears for the recipient of the packet that it was sent from your local firewall system.

This works in both ways, for incoming and outgoing packets. For the first, if a connection is established from the remote site, your local clients receive packets with source address from the local firewall; for the latter all packets are translated before traversing the VPN and the remote recipients receive them as if they were sent from the IPFire firewall. This trick masquerades the original sender of the packet.