For this I use client-to-client and the client-pf of the management interface.
In general.
Systems are behind an openvpn client that automatically connects to the router (periodically).
Engineers use openvpn clients and connect to the same router.
Systems and Engineers all have their own certificate by which they can be identified.
To control the traffic I planned to make use of the management interface client-pf feature.
I have client-to-client enabled.
I deny any traffic, except between One system and zero or more Engineers.
Engineers can never be connected to multiple Systems at the same time.
Systems never connect to systems.
Eg. when connecting engineer_A to system_A
system_A gets:
Code: Select all
[CLIENTS DROP]
engineer_A
[SUBNETS DROP]
[END]
Code: Select all
[CLIENTS DROP]
system_A
[SUBNETS DROP]
[END]
Code: Select all
[CLIENTS DROP]
[SUBNETS DROP]
[END]
(Openvpn is not restarted here)
system_A gets:
Code: Select all
[CLIENTS DROP]
[SUBNETS DROP]
[END]
Code: Select all
[CLIENTS DROP]
system_B
[SUBNETS DROP]
[END]
Code: Select all
[CLIENTS DROP]
engineer_A
[SUBNETS DROP]
[END]
Initially engineer_A can ping the network behind the client of system_A.
But When I change to engineer_A <=> system_B, engineer_A cannot ping the network of the client behind system_A or system_B.
However when I change back to engineer_A <=> system_A, engineer_A can access the network behind the client of system_A again.
Always the first configuration since the start of the openvpn server works.
Any ideas what's going wrong here?
Thanks in advance,
Henk