Block LAN traffic if VPN goes down
-
Hi All,
Just wondering if someone can help me.
I've got a variation on this theme, which I've not seen covered in any of the threads here and in my Google searching.
I'm running pfSense 2.1 on a HP MicroServer with a Intel NC360 dual gigabit LAN card.
I looked at this thread: http://forum.pfsense.org/index.php?topic=58694.0
but it does the inverse of what I want, and there doesn't appear to be a way to NOT this rule, or use an alias in source.
I've also tried the advice here: http://forum.pfsense.org/index.php/topic,65331.0.html
and not had any luck either.Basically, I'm using VPN primarily as a way to bypass traffic shaping and bandwidth limitation from my ISP.
I have a very fast connection (320Mbps/20Mbps), and routinely fail to achieve anywhere near this through the ISP (even with multiple connections). Typically, I'm seeing around 220Mbps/18Mbps.
Using Private Internet Access, I typically achieve 300-310Mbps / 18-20Mbps, which is a significant improvement.
Therefore, I want to route all of my traffic via VPN, except one system which I use to VPN in to work.
I've got rules setup which achieve this (images attached), and am very happy with the results.Basically, I have a rule which sends all LAN traffic via the defined VPN gateway, except for IPs listed in the BYPASSVPN alias.
I also thought that this setup would result in no traffic being passed if the VPN gateway went down. This is not the case. If the VPN goes down, then all traffic is being passed out the WAN interface.
I'd really appreciate some insight into where I'm going wrong.
Also, I'm finding that DNS requests are not going to the VPN when it's up. They still route to the Google DNS servers.
What I'd like is for clients using the VPN to use the PIA DNS servers, and clients in the BYPASSVPN list to use Google DNS.
Anyone got any thoughts on how to achieve this?Thanks,
Andy.
-
Okay. Figured it out.
Thought I was going bonkers, as I figured my setup should work.
Found the solution by carefully re-reading another thread:
http://forum.pfsense.org/index.php/topic,65331.msg363332.html#msg363332Turns out, there is a new option in pfSense 2.1, which breaks what I was trying to achieve.
Go to Advanced and then Miscellaneous and down in Gateway Monitoring you'll see "Skip rules when gateway is down" which on my fresh 2.1 install is off by default. It has the following description.
"By default, when a rule has a specific gateway set, and this gateway is down, rule is created and traffic is sent to default gateway.This option overrides that behavior and the rule is not created when gateway is down"
So basically when the VPN Gateway is down it puts the rule in but with the default gateway ruining the whole point.
Many thanks to FastLaneJB for spotting this.
So, now I just need to fix the DNS servers. Anyone got any thoughts?
-
Also, I'm finding that DNS requests are not going to the VPN when it's up. They still route to the Google DNS servers.
What I'd like is for clients using the VPN to use the PIA DNS servers, and clients in the BYPASSVPN list to use Google DNS.
Anyone got any thoughts on how to achieve this?Might be a bit tricky to do with an alias. Assuming the majority of clients need the VPN and to use DNS across VPN, then setup DHCP so it gives out those PIA DNS servers. Then do Static DHCP Mapping for the few systems that are in BYPASSVPN and leave the DNS servers blank (or specify the pfSense LAN IP).
Of course, that means that when you modify the aliases you also have to appropriately modify the DHCP settings. They do not stay in sync automagically. -
Thanks for the reply, Phil.
I genuinely hadn't thought about doing it that way. Coming from more basic routers, it didn't occur to me that you could actually apply DNS settings as part of a static mapping.
Am going to give it a try right now.
Andy.
-
Happy to report that this works perfectly.
Would still be nice if OpenVPN foreign_option support could be added to pfsense (so that VPN DNS settings can be propogated), but this is a good workaround for me.