Want to Block 1IP from using Internet when VPN goes down

Derelict

NO_WAN_EGRESS is just a text phrase. You could use JKHIHEJIFUBIDS as long as the tag set when the connection enters the firewall matches the tag the outbound floating rule is matching on.

All we are doing is setting a tag on the connection whenever one arrives on LAN from that IP address and blocking anything with that tag that tries to leave WAN.

More here

comet424

ah ok and how come you need the Floating Block.. how come the Rules isnt good enough or the Blocks i put on it... do i remove those Block's in the Rules or do i keep it in there

so the Tag is like the Alias's then...
i figured the Block i did was good enough where i said Block Wan Interface

comet424

ah ok i just read the More here link.. that basiclly what i thought i was doing when i told it to block WAN interferace on the IP address unless its being bypassed i guess?

least i thought i was blocking

Derelict

It is nothing like an alias. It is a tag.

You cannot block outbound on WAN for traffic from a certain inside host address because outbound NAT has already occurred so the source address has been translated and will not match. So you set that special tag when matching traffic arrives on the LAN interface and block anything with that tag on the way out WAN.

Believe me. Once you understand what it's doing it's the only way that makes any sense in this case.

No. All you are doing with that rule is blocking connections with a destination address of your WAN address on your firewall. That probably won't ever block anything.

comet424

ok reason i said alias.. as in you give a name and it does a function... like Game consoles it does a function of recording the IP address's of all the game consoles under the "Game Consoles" alias name

soo how do you know when to use Tags to Block or how you know when you can use the Reject/Block options under NAT or Rules
and so what it does now
is LAN Net (any IP on the LAN ) use NordVPN But If it Tries to use the WAN when VPN goes down then goto aka NO WAN REGRESS.. block that connection...

so what ones should i Delete? the WAN blocks i had
and is there a way to make the NORDVPNs if im on USA it keeps using the Canada Setting one in the Rules.. i tried replacing the Desitination * to NordVPN_Canada NET or Address and for USA too... and when i choose usa still doesnt work right ...

and is there a better way for the NAT Blocking XBOX or is that ok... was only way i got Xbox to Ever Work with the Double NAT Moderate NAT .. and was only way to get it to OPEN

and i appolgize if i dont make sense.. I have dislexia, and learning disability.... so it sounds right in my head or i try to understand and lots of times i confuse people.. so i hope i didnt and if so ask and ill try to re write what i mean...

but i do appreciate your help... always learning

Derelict

You use block/reject rules when you want to block traffic entering the firewall.

You cannot do that because you want to pass that traffic into the firewall, but only block it when it tries to take a certain path out.

That More link I gave covers all of this. It's for pfSense 2.2.X but it all still applies.

No idea on the Xbox or what special requirements it has. There is a specific gaming category here.

comet424

ok i kinda understand.. and thats why i get confused if im blocking WAN interface to a specific ip address under LAN headding why it doesnt block it i get it for the VPN
or is it because im running a VPN that the those block s (in image i grayed now) dotn work

but if i simply had no VPN and blocked it like i did that would work no need for a tag??

and here i show i tried doing this but trying to make sure that the LAN net to go through the NordVPNCanada Dest and Gatatway Canada...
or when i use the NordVPN Dest USA and GateaWay USA i trying to make it go through it.. but you see i tried net and address

and what happens it skips all that and just goes to the bottom and runs the Plain WAN internet connection

would you happen to know how to set it soo
when i use OpenVPN Canada NordVPN use the Canada GateWay
when i use OpenVPN USA NordVPN use the USA Gateway not the Canada

do i need to Do a TAG? can you add mulitple Tags..

as for the Xbox one ya i tried i the only one in that forum that was trying to get VPN and WAN and XBOX to work together... no real help there as it was just Regular WAN and XBOX settings..
so i played for hours getting it to work what i did...

but here is the pic... if its not possible to route the VPN to the specific Gateway then no worries ill just deal with it using the first one i guess.. its just i sometimes turn off Canada and turn on USA and vise versa...

Derelict

One issue at a time.

comet424

ah ok i having an issue. i was testing the turn off vpn to see that the computer gets blocked.. it worked... i tried turning on the VPN i couldnt... it shows i get internet on the lan net after the vpns but i get no internet..
i saved the configuration and restored to earlier one from yesterday.. and internet worked...
i reloaded the saved config you helped me with.. and i have no internet.. something went a muck i cant find an error.. cant even ping google in pfsense is there a way to find out if there is a glitch or a toggle switch is blocking everything by accident
here is the rules i have saved... which i should have internet but i dont

i should be getting internet with the VPN turned off... but im not it shows data but i getting nothing

Derelict

The only rules you have routing out to WAN_PPPOE are from Games_Consoles

I suggest starting over with a default configuration and doing one thing at a time, getting that working, then doing one more thing, getting that working, etc.

comet424

thats correct... Game consoles goes out the WAN PPPOE

then the 192.168.0.11 Uses VPN Tag No WAN EEEGREES
then LAN net * * * * * next is using the Default Internat WAN_PPPOE becuse VPN is down

right now internet is totally disabled
even if you put the Default LAN allow lan rule to the top internet is disabled even after a reboot... so i not sure what happened in this config.. if it corrupted or something that its using the Default Internet but yet its blocking it at the same time which is the PPP0E

but guess ill go back to yesterdays config.. which is what you saw earlier screen shots when you told me to do the Tag Egress... thats the default we started with today which was working... and after i did what you told me and i then turned off VPN no internet works.. so thats frustrating

but ill try again tommorow as i tired... i appreciate the help so far

Derelict

Then you did not do what I said because what I said would have only impacted traffic from that single host.

comet424

yes i did what you said
like i said it was working When I turned off VPN disabled it the 192.168.0.11 lost internet
but trying to reactivate it... wouldnt work
and then my entire internet was lost...
as you can see i moved Lan Net to the top so it bypass's VPN you see it says its accessing internet yet nothing on the entire network has internet... its like its disabled but only thing i changed was the adding of the policy of Float and the Tag to the specific IP address

like i said
it was working then i disabled OpenVPN Client so i could see that 192.168.0.11 lost internet... i then tried reactivating my NordVPN client wasnt able to..

i now lost entire internet as it usually just skips the vpn and i uually use the WAN interface... but it isnt doing that... and i cant reconnect

but if i roll back to the day before the one i started with... VPN can log in.. i switch back to what we did its like the WAN connection is blocked on the network
i have had this kinda issue 3 times out out of the entire year since jan 2018 i noticed...
if i send the config file you able to see what its blocking?
but here is the rules

comet424

so here you seen i grayed out all the rules.. and i created a new rule.. you see i have internet traffic but im block no internet.. yet it shows i i should be getting internet..

as you see in the gateway.. I am connected to the internet fine as i get a gateway but i have 100 percent loss... so where in rules is it blocking 100%

Derelict

Your PPPoE is offline. Where is the traffic supposed to go?

comet424

ugh ill post picture.. like i said its nto offline
its up and you see 10.11.13.49 gateway monitor is 10.11.13.49
so its up but just a sec ill get you a photo
thats why i ask where else could it be blocking?

Derelict

Post the routing table from Diagnostics > Routes.

comet424

if i upload the config file is there an editor for you or diagnostic program to see whats wrong?
as reboots dont help

sorry takes a bit to send back pics
as i restore the few days ago config to send you the pics but load up the config file we worked on in this topic and it just glitched or something and i wanna be able to figure it out incase it has happened again.. as its happened in 2 other times last year but all i did was format and started over... but since i have bunch of stuff setup i dont wanna format.. i wanna find out what went wrong

comet424

could it be because i use a gaming computer motherboard and non ECC ram... and while it was doing a save it saved a corrupt setting to block the internet..
as i always hear you want ECC ram for a server is it possible .. as i was looking at 1U Server supermicro but at 1200 + just to make pfsesne... my gaming computer under 500 was cheaper way

comet424

ok found the problem well kinda...
That Floating No WAN Egress is being applied when its not supposed to be called

and i tried scrolling up but i cant see the settings you told me but this is what i have.. ...

so even though no TAG is being called on any of the rules other then the 2 for 192.168.0.11

its like the rules are calling Tag No Wan Egress by default and not when its supposed to