Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [Solved] How to block traffic when VPN is down

    Scheduled Pinned Locked Moved OpenVPN
    7 Posts 4 Posters 11.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      luniq
      last edited by

      Hi,
      How do you stop a traffic that is supposed to go to a vpn gateway when the vpn is down? I am using a vpn service and configured it following a tutorial I found here. It works with no problem, I configured using firewall rules to allow only specific traffic to go through the vpn gateway. My problem is that when the vpn is down all the traffic that should go through the vpn gateway get redirected to the default gateway which is what i dont want it to do. I want the traffic to be blocked if the vpn is down. How can i do this? Thanks.

      1 Reply Last reply Reply Quote 0
      • L
        luniq
        last edited by

        I think I have solved this by making nat outbound rules to disable nat on wan interface for traffic that should go through the vpn. I have set one pc in my network to only access the vpn by creating firewall rule to go through vpn gateway and create a nat disable rule on wan interface then putting the nat rule on top. While the vpn is running it can traceroute google with no problem and when vpn is down traceroute would not work. I also tried pinging google and it also wouldnt work when the vpn is down. Looks ok to me.

        1 Reply Last reply Reply Quote 0
        • C
          cmb
          last edited by

          That's an option. It's still going out WAN in that case, but it won't actually reach the destination. Or shouldn't, your ISP should be dropping private IP sourced traffic. It could theoretically make it all the way to its destination but the reply won't go back.

          You can actually block that traffic using a quick floating rule matching out on WAN.

          1 Reply Last reply Reply Quote 0
          • L
            luniq
            last edited by

            I have added the floating rule like you said blocking lan subnet from going out wan and it is working. I enabled logging and can see the traffic being blocked when i disable vpn. Try pinging gives 'Destination host unreachable' instead of just telling packet loss. I believe the problem is now completely solved, thanks for the tip.

            1 Reply Last reply Reply Quote 0
            • G
              gekko
              last edited by

              Can someone explain please, perhaps with a screenshot, how to apply this floating rule for a single client? I have 3 clients in the network and only one is using the VPN connection established with pfSense.
              Now i tried 2 days to block traffic on this client in case of shutting down the VPN connection.

              thanks in advance

              1 Reply Last reply Reply Quote 0
              • D
                deltalord
                last edited by

                I suppose the OP talks about a setup similar to this one:

                NAT Manual Outbound Overview

                NAT deny Rule

                Firewall Rules

                1 Reply Last reply Reply Quote 0
                • G
                  gekko
                  last edited by

                  Thank you very much deltalord. It works very well.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.