Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    This seems over complicated.

    OpenVPN
    2
    2
    545
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • gregeehG
      gregeeh
      last edited by

      Hi all,

      pfSense 2.3.4 with OpenVPN client connected to my VPN Provider.

      Can someone please let me know if I have done this correctly as it does work but seem over complicated.  I want to prevent any traffic from VPN Hosts from Egressing the WAN and have followed the instructions at:-
      https://www.infotechwerx.com/blog/Prevent-Any-Traffic-VPN-Hosts-Egressing-WAN

      I also want a WAN IP 110.232.140.75 not to go out the VPN but via the WAN instead at all times.

      So I setup a Static Route

      Create the floating rule:-

      Excluded 110.232.140.75 from my LAN to VPN rule:-

      TIA

      Greg

      PfSense running on Qotom mini PC
      CPU N3150, 2 GB memory, 32 GB SSD & 2 Realtek Gb Ethernet ports.
      UniFi AC-Lite access point

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        If you have a rule that sends traffic down your vpn connection, and that vpn connection is down and you did not checkmark do not create rule when gateway down in the gateway monitoring section of advanced misc.  Then the rule when gateway is down will be same rule just without gateway set so yeah traffic can route out the normal gateway.

        Another way to do it set it so the rule is not created.  Then if your vpn is down the rest of your rules are evaluated, so if you have a rule below that allows the traffic they could get it out your normal wan.  If you don't have a rule that allows them then they wouldn't

        All comes down to how you want to do it.  Depending on on how many networks you have, how many wan interfaces this way might be simpler to cover all the bases with.. There are multiple threads about this all over the forum.  What you do exactly depends on many factors of how you want to skin the cat, and what sort of cat it is - is it a Bobtail or a Siamese or maybe Chartreux, etc. etc.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.