Modem access and vpn kill swtich
-
Why do you need a vpn kill switch? And if you did want a vpn kill switch, why would you kill the whole internet connection and not just kill the vpn connection?
-
Why do you need a vpn kill switch? And if you did want a vpn kill switch, why would you kill the whole internet connection and not just kill the vpn connection?
I want the
whole internet to go down with the vpn, I want my router /firewall to drop the connection to the WAN if the vpn goes down no use being neked online !I HAVE NOTHING AGAINST THE ENTIRE INTERNET.
Thanks
-
But you have your tinfoil hat to protect you don't you? ;)
-
I want the whole internet to go down
I don't think other people would be happy with you killing the Internet! ;)
-
I'm sure that somewhere in your humorous replies is a coded message that hints at one of you guys looking over my rules and seeing if they are the best option for what I need :-)
I guess asking about a kill switch was just asking for trouble here, being Friday and all :P
Thanks
-
You have a rule that passes traffic to your MODEMACCESS_NET. (Note that said rule is TCP-only so if you are trying to ping that won't match as that is ICMP).
You have a rule below that that routes traffic to PIA. Presumably you set the NO_WAN_EGRESS flag on that rule. Then you have a floating rule on WAN out that blocks all traffic that has the NO_WAN_EGRESS flag set. It's not mythology. It does exactly what it is supposed to do and is really the only way to do it since you cannot match inside (pre-nat) source hosts on WAN out floating rules as NAT has already occurred there.) Just because you don't understand something does not make it mythical.
That will NOT block traffic to the MODEMACCESS_NET. If it does, it is something else doing the blocking or your MODEMACCESS_NET rule is not doing what you think it is doing. (See TCP-only comment above).
-
Thank you Derelict for replying in detail, much appreciated.
I took note of the TCP pointer and changed it to suit.
I have a grasp of most commercial off the shelf routers but pfsense is a totally different thing and takes some working out, hence my concern about adding rules, it may work to me but to more experienced people, there may be better ways to achieve my aims.
Thank you
–
-
Was your problem the TCP-only rule or is it still not working as expected?
-
Sorry I should have mentioned,
NOW, as the rules stand, I have the vpn and when it drops so does the Internet to the clients,(I think that the right terminology )
I have full access to the bridge modem, after changing the protocol I can now ping it as well, I missed that so thank you for pointing it out.
The three blocking rules to the clients I have blocked appear to work as expected.
So long as this is the correct way to do this I am happy, Ive done some packet captures to the WAN and LAN and everything seems OK.
Thanks
–- -
It is actually access to the internet from the clients, but glad it's working.
Yes, I feel that is the best way to accomplish that task. It is essentially saying "If it was supposed to go out the VPN, do not let it out WAN."
-
It is actually access to the internet from the clients, but glad it's working.
Yes, I feel that is the best way to accomplish that task. It is essentially saying "If it was supposed to go out the VPN, do not let it out WAN."
That has to be the best explanation of this I have read, one simple sentence makes things so clear.
Thanks,
–-
