Kill states created by nat?

Cobrax2

H guys
I have a pc on the lan that connects via vpn to a remote server. I sometimes want to cut it off the net, and i have created a rule that blocks connections from its ip. But that doesnt kill the vpn that is already connected...
If i try to use pfctl -k it kills some states, but not the vpn, i think because the pc is accessing the internet via nat on pfsense. pfctl-s shows this, after killing the ones from the ip:

all tcp my.wan.ip.here:34568 (lan.ip.of.pc:57798) -> remote.vpn.server.ip:443 ESTABLISHED:ESTABLISHED

quite a few of them, that was just an example.
The question is: how do i kill those states, or connections?
Thanks

Bob.Dig

@Cobrax2 said in Kill states created by nat?:

The question is: how do i kill those states, or connections?

I don't get it but you can make an allow rule for that connection only and then pressing the x next to it to kill it.

kprovost

@Cobrax2 There's some work to implement what I think you're asking for: https://redmine.pfsense.org/issues/11556

That'll land in the next major release, but I believe the pfctl and pf bits are already in 2.7.2/23.09.1. That'll let you kill states based on the pre-nat address with pfctl -k nat -k <lan ip>.

Cobrax2

@Bob-Dig said in Kill states created by nat?:

@Cobrax2 said in Kill states created by nat?:

The question is: how do i kill those states, or connections?

I don't get it but you can make an allow rule for that connection only and then pressing the x next to it to kill it.

You mean make a rule that allows any from the lan ip pc to * and then it will kill the vpn too?

Cobrax2

@Bob-Dig tried that, the "x" doesn't kill the vpn, i guess it doesn't see the nat connection :(

stephenw10

You should still be able to kill the LAN side part of the connection. You should be able to kill the WAN state too but you might not be able to if you have filtered the table and you are trying to kill all listed states.

Cobrax2

@stephenw10 it does kill probably the lan part, but the vpn is still working good and uninterrupted

stephenw10

It's possible the UDP VPN traffic is re-openning the LAN state outbound. You should be able to see that in the state table.

If that is the case you could add a floating block rule outbound on LAN to prevent it opening the state that way.

Steve

Cobrax2

@stephenw10 nono, the rule blicks new connections right. But those started by the wan ip dont ket killed. Is there a way to kill them?

stephenw10

It shouldn't matter if the LAN state is killed and cannot be re-created.

Cobrax2

@stephenw10 s9 what do i do? Besides flushing all states or nat

stephenw10

Add a floating outbound block rule on LAN that specifically matches the VPN reply traffic. So maybe UDP with source port 1194 if it's OpenVPN. Or maybe using the server IP address as source.

But as I said check the state table to make sure that's what is happening. You should be able to see a difference between a states created by the traffic from the LAN client and one that's opened by the reply traffic from the server.

Cobrax2

@stephenw10 its not openvpn, it globalprotect, its a company 0c with multiple servers :(

stephenw10

Well use the client as destination then. What ports is it using? If they are fixed you can include that to be more specific.

But check it really is re-opening states from WAN first.