Pass rule blocked on default gateway on VPN

randombits

I have ProtonVPN setup as a client and goes via VLAN999 to my AP. I have pfBlockerNG on all interfaces with two pass whilelists at the top. However, on the VPN with those whitelists enabled blocks access to those sites over the VPN. If I disable those lists the VPN works ok all the other interfaces work ok with them on. The lists contain sites that are blocked by some pfblocker lists

screencapture-192-168-2-210-firewall-rules-php-2024-04-26-10_15_24.png

Added a couple more images
screencapture-192-168-2-210-firewall-rules-php-2024-04-26-10_27_23.png screencapture-192-168-2-210-interfaces-assign-php-2024-04-26-10_27_03.png

viragomann

@randombits said in Pass rule stopping internet on VPN:

on the VPN with those whitelists enabled blocks access to those sites over the VPN. If I disable those lists the VPN works ok all the other interfaces work ok with them on.

Which one? The whitelists?

Which DNS server do the devices in this subnet use?
Remember that you have only allowed them to use one of the whitelists or one, that is accessible via VPN.

randombits

@viragomann Yes the white lists, It appears to work backwards pass rules enabled blocks and disabled (ON) works ok. The DNS are pfsense apart from the ProtonVPN which is 10.8.8.1 given by Proton - I think.

The sites I used are thepriratebay.org and limetorrents.lol which are whitelisted. With the pass rules on everything else work ok apart from those two sites.

randombits

@viragomann said in Pass rule stopping internet on VPN:

Remember that you have only allowed them to use one of the whitelists or one, that is accessible via VPN

Sorry, I'm not sure what you mean.

Do you mean the whitelists have to go out via the VPN gateway rather than any (*) ? - Although I think I tried that yesterday.

viragomann

@randombits said in Pass rule stopping internet on VPN:

The sites I used are thepriratebay.org and limetorrents.lol which are whitelisted.

So these two site are the content of the whitelist aliases?

Not clear, what you try to achieve here.
The whitlelists obviously include torrent sites, but you allow any source to access them. On the other hand you have a rule to direct any other destinations to the VPN gateway.
This means, only the two whitelisted sites are going to the default gateway. Is this, what you want?

So there is arising the question, what is the default gateway?

What exactly does not work? Accessing the two sites in the whitelist aliases or anything else?

And again, which DNS server is configured on the device, you have issues?

randombits

@viragomann The two sites are in the context of the whitelists. The two sites are blocked by existing pfblocker lists so therefore, unblocked in the whitelist at the top of the rules. I assumed the lists would be 'parsed' being in the 999 vlan and passed out to Proton via the gateway at the bottom of the list.

The idea is to have all torrent data go via proton including the two whitelisted sites. The torrent server is on another server but I was testing using wifi ssid's vlans.

The default gateway in the wan.

Incidentally, ALL the traffic goes over a single NIC on a tiny Lenovo server running Proxmox.

ADSLModem VLAN 1000 > Switch >Proxmox >pfSense
Wifi AP VLAN 999 . . . . . . .>^

screencapture-192-168-2-210-firewall-rules-edit-php-2024-04-26-10_46_32.png screencapture-192-168-2-210-system-gateways-php-2024-04-26-10_36_40.png
screencapture-192-168-2-210-pfblockerng-pfblockerng-category-php-2024-04-26-14_02_52.png

randombits

I've just added again the Proton gateway to each of the whitelist pass rules and seems to be working now - All very odd

Swapping back and forth between to wifi ssid could have caused issues and stuck pfsense states ..

viragomann

@randombits
Not clear to me, why you got no connection before.
As mentioned to whitelist rule would let out the traffic on WAN without the VPN gateway stated, since WAN is the default.
But since this rule don't tag the traffic, it should not be blocked by the killswitch.

So the only reason I can think of, is that the destination is blocked in the WAN, by your provider.

randombits

@viragomann Definitely not my ISP they don't anything ports,sites etc , for one it works ok via my ISP over my normal wifi ssid.

What I think it was the rules were working but blocked from the default WAN via the tagged floating kill switch rule I'm not sure though.

viragomann

@randombits
But according to your screenshots, the whitelist rules don't tag the packets. So the kill-switch rule shouldn't be applied to them.

randombits

@viragomann Agreed, All very odd. Having been at this most of yesterday and now today I'll give it a rest for bit !. Thanks for making me think some more - sometimes another pair of eyes helps !

randombits

I forgot to add, the whole reason behind this I'm going to change to new fibre ISP that blocks a lot of sites and uses CGNAT but faster that my current ADSL.

I still can't figure out what the original issue is/was though

Bob.Dig

@randombits said in Pass rule stopping internet on VPN:

I still can't figure out what the original issue is/was though

I don't think you can just add two FQDNs and everything is working. Even if you talk about just those two Websites, they will use additional FQDN and CDNs etc.
Also using this many "Feeds" for a torrent app is not smart to begin with. All those lists are not for torrenting, most of them are at least partially against it. Just Stop it. Don't use any blocklist for torrenting unless you find one specific for this and your usecase. I don't know one.

randombits

@Bob-Dig The two sites are both in ip ranges and one in the DNS list. I wish to block some 'areas' I download and share torrents with. Admittedly they could be better trimmed more appropriately rather than just add from from the LAN.

The problems is with the pass rule list added with default gateway (*) it blocks and doesn't send out via the default gateway, when it's set to the gateway ProtonVPN it works ok, I have no idea why. It does the same if I manually add the pass rule to.

The whitelist rule is working but not going out via the default gateway

Apr 28 18:11:13,1770012439,vtnet0.999,TORRENTTRAFFIC,pass,4,17,UDP,10.9.99.10,104.31.16.4,55886,443,out,Unk,pfB_WhitelistDNS_v4,104.16.0.0/12,WhitelistDNS_custom_v4,Unknown,dave-PC,null,+
Apr 28 18:11:13,1770012439,vtnet0.999,TORRENTTRAFFIC,pass,4,17,UDP,10.9.99.10,104.31.16.4,55886,443,out,Unk,pfB_WhitelistDNS_v4,104.16.0.0/12,WhitelistDNS_custom_v4,Unknown,dave-PC,null,-
Apr 28 18:11:13,1770012439,vtnet0.999,TORRENTTRAFFIC,pass,4,17,UDP,10.9.99.10,104.31.16.4,55886,443,out,Unk,pfB_WhitelistDNS_v4,104.16.0.0/12,WhitelistDNS_custom_v4,Unknown,dave-PC,null,-
Apr 28 18:11:29,1770012439,vtnet0.999,TORRENTTRAFFIC,pass,4,6,TCP-S,10.9.99.10,162.159.137.6,24703,443,out,Unk,pfB_WhitelistDNS_v4,162.159.128.0/17,WhitelistDNS_custom_v4,Unknown,dave-PC,null,+
Apr 28 18:11:29,1770012439,vtnet0.999,TORRENTTRAFFIC,pass,4,6,TCP-S,10.9.99.10,162.159.137.6,24703,443,out,Unk,pfB_WhitelistDNS_v4,162.159.128.0/17,WhitelistDNS_custom_v4,Unknown,dave-PC,null,-
Apr 28 18:11:32,1770012439,vtnet0.999,TORRENTTRAFFIC,pass,4,6,TCP-S,10.9.99.10,172.66.44.77,24705,443,out,US,pfB_WhitelistDNS_v4,172.66.40.0/21,WhitelistDNS_custom_v4,Unknown,dave-PC,null,+
Apr 28 18:11:32,1770012439,vtnet0.999,TORRENTTRAFFIC,pass,4,6,TCP-S,10.9.99.10,172.66.44.77,24705,443,out,US,pfB_WhitelistDNS_v4,172.66.40.0/21,WhitelistDNS_custom_v4,Unknown,dave-PC,null,-

randombits

SOLVED

After a rethink I discovered no auto created outbound NAT rule (set to manual) added that and now everythings works as expected.