Prevent Certain LAN ips from accessing WAN when OpenVPN goes down
-
Are the floating rules processed before or after the interface rules, and are they processed several times for a single packet (that is for each interface it passes)? I've yet to find a detailed explanation for this, but I'm sure it must exist here somewhere? It's hard to design rules when you're not sure how they are processed.
Floating rules are processed before the others.
All others interface rules are processed top –> down with the condition: first match = stop processing (so, if a packet matches the rules it encountered, further processing is halted).
One thing to consider is stateful inspection: if a packet is a reply to a legitimate one (= reply packet is matching the table) then it is allowed.
See "Firewalling with OpenBSD's PF packet filter" http://home.nuug.no/~peter/pf/en/
-
Hi all,
This has also been bugging me for a while and I'd just given up but with the event of 2.1 final I decided to reload my firewall from scratch and have another go. Tried a few of the suggestions in this thread that hadn't occured to me before but nothing seemed to work. However I believe I've cracked it in my limited testing and once you see why, the answer is obvious :)
Go to Advanced and then Miscellaneous and down in Gateway Monitoring you'll see "Skip rules when gateway is down" which on my fresh 2.1 install is off by default. It has the following description.
"By default, when a rule has a specific gateway set, and this gateway is down, rule is created and traffic is sent to default gateway.This option overrides that behavior and the rule is not created when gateway is down"
So basically when the VPN Gateway is down it puts the rule in but with the default gateway ruining the whole point.
With this ticked I then set the "Default allow LAN to any rule" and "Default allow LAN IPv6 to any rule" to run if Source is NOT my VPN Alias.
So now those hosts have Internet when the VPN is up via the VPN. When it goes down they lose Internet completely.
Hope this helps others. Took a while to figure it out.
-
Great find FastLaneJB! I simply enabled this (I have a "VPN source net" instead of a VPN source alias - with no default allow rule), and it seems to behave largely as wanted. I do however still get some traffic to and from my "VPN source net" a while after taking down the VPN, but I haven't properly investigated the cause. It could have several reasons, not necessarily related to pfSense, and I'll have to take a closer look to figure out exactly what's happening.
-
thanks to fastlane and everyone else for the information. Unfortunately, this doesnt seem to work for me.
I am trying to block all LAN traffic when my VPN goes down, and am about ready to drive myself crazy.
Anyone have any thoughts?
cheers
-
Hi all,
This has also been bugging me for a while and I'd just given up but with the event of 2.1 final I decided to reload my firewall from scratch and have another go. Tried a few of the suggestions in this thread that hadn't occured to me before but nothing seemed to work. However I believe I've cracked it in my limited testing and once you see why, the answer is obvious :)
Go to Advanced and then Miscellaneous and down in Gateway Monitoring you'll see "Skip rules when gateway is down" which on my fresh 2.1 install is off by default. It has the following description.
"By default, when a rule has a specific gateway set, and this gateway is down, rule is created and traffic is sent to default gateway.This option overrides that behavior and the rule is not created when gateway is down"
So basically when the VPN Gateway is down it puts the rule in but with the default gateway ruining the whole point.
With this ticked I then set the "Default allow LAN to any rule" and "Default allow LAN IPv6 to any rule" to run if Source is NOT my VPN Alias.
So now those hosts have Internet when the VPN is up via the VPN. When it goes down they lose Internet completely.
Hope this helps others. Took a while to figure it out.
This doesn't solve 2 problems.
-
DNS leaks. The pfsense firewall itself will send out DNS queries even if your method is applied;
-
this method doesn't allow the creation of automated rules for VPN traffic itself so, for example, Amazon S3 won't work or will work intermittently, being "caught" by the default deny IPv4/IPv6 rule.
-
-
This doesn't solve 2 problems.
-
DNS leaks. The pfsense firewall itself will send out DNS queries even if your method is applied;
-
this method doesn't allow the creation of automated rules for VPN traffic itself so, for example, Amazon S3 won't work or will work intermittently, being "caught" by the default deny IPv4/IPv6 rule.
I don't see the relevance of your "problems" and this thread. The thread title is "Prevent Certain LAN ips from accessing WAN when OpenVPN goes down", and the way I understand that is that it's about preventing pfSense from rerouting policy routed traffic to the default gateway once the "policy routed gateway" becomes unavailable, and as such it seems spot on.
Regarding 1) That depends on how you configure your network. If you configure the client(s) in question to solely use VPN provided DNS servers, this DNS traffic will also cease when the VPN goes down. I don't know why you would want pfSense itself, or the DNS forwarder, to loose DNS connectivity in that situation, but if that's what you want you could probably also configure them to only use the VPN provider's DNS.
- I don't even understand what you mean or how you create automated rules for VPN traffic, but provided that these automated rules were created correctly this solution should apply to them as well.
-
-
I don't see the relevance of your "problems" and this thread. The thread title is "Prevent Certain LAN ips from accessing WAN when OpenVPN goes down", and the way I understand that is that it's about preventing pfSense from rerouting policy routed traffic to the default gateway once the "policy routed gateway" becomes unavailable, and as such it seems spot on.
I think that all of us are using a VPN for privacy and security, so preventing DNS leaks is a matter we should deal with.
See https://redmine.pfsense.org/issues/753
- I don't even understand what you mean or how you create automated rules for VPN traffic, but provided that these automated rules were created correctly this solution should apply to them as well.
Perhaps you should take a look at your /tmp/rules.debug ::)
-
I also have my WAN send data through OpenVPN. After about 5 days the VPN goes down and then stops all traffic (which is preferred). Is there a way for pfsense to detect that the VPN connect is down and then automatically restart the service? or maybe there is a way to have a rule that restarts the VPN connection every 3 days?
-
In Client VPN settings there is an option resolv-retry infinite checkbox, or you can passit as a parameter in advanced box.
-
In Client VPN settings there is an option resolv-retry infinite checkbox, or you can passit as a parameter in advanced box.
I am not seeing the option resolv-rety infinite in client settings. I have "Infinitely resolve server" checked if that is what you are refering to but that does not seem to fix the VPN when it goes down. Could you explain how "passit" works in the advanced box? I have a very basic knowledge of home network systems so please feel free to explain it as if I have no clue.
-
What I mean to say is you can add any parameters that are available to any openvpn client just type them on each line of advanced box.
ie
resolv-retry infinite;
But I don't think this setting is what you need. This setting seems to infinitely establish connection until successful.All other settings can be found here:
http://openvpn.net/index.php/open-source/documentation/manuals/65-openvpn-20x-manpage.htmlOn my system pfsense automatically reconnects when the connection fails.
It's best to check your logs of openvpn to see what happens when connection fails. You can see that in Status->System Logs->openvpn.
Though I am the original poster and my issue with blocking connections was resolved I am not sure getting off topic is acceptable in this forum.
I would be more happy to help with anything I know. It's probably best to make another topic for this :)
Make a thread and maybe let us know where to go.
There you can post your logs and I am sure everyone will try to help. -
Could anyone here help me, I am trying to configure a floating rule to block traffic (WAN) from a specific IP/port (192.168.12.5:47864) when VPN goes down, but still allow everything else via WAN on (192.168.12.5).
I configured a floating rule as mentioned previously in this thread as such:
Action: block
NOT A QUICK RULE
Interface: WAN
Direction: Any
TCP/IP Version: IPv4
Protocol: TCP/UDP
Source: 192.168.12.5
Source port range (to&from): 47864
Destination: any
Destination port range: any
log: checked
Description: Kill WAN if VPN DOWNBut tested by disabling openvpn, then watched as the traffic resumed on WAN (fail).
Thanks for help all!
-
Again, it's post-NAT so you can't match on the source address. See the other thread which is the same solution
