Want to Block 1IP from using Internet when VPN goes down

comet424

yes i did what you said
like i said it was working When I turned off VPN disabled it the 192.168.0.11 lost internet
but trying to reactivate it... wouldnt work
and then my entire internet was lost...
as you can see i moved Lan Net to the top so it bypass's VPN you see it says its accessing internet yet nothing on the entire network has internet... its like its disabled but only thing i changed was the adding of the policy of Float and the Tag to the specific IP address

like i said
it was working then i disabled OpenVPN Client so i could see that 192.168.0.11 lost internet... i then tried reactivating my NordVPN client wasnt able to..

i now lost entire internet as it usually just skips the vpn and i uually use the WAN interface... but it isnt doing that... and i cant reconnect

but if i roll back to the day before the one i started with... VPN can log in.. i switch back to what we did its like the WAN connection is blocked on the network
i have had this kinda issue 3 times out out of the entire year since jan 2018 i noticed...
if i send the config file you able to see what its blocking?
but here is the rules

no internet2.JPG no internet1.JPG

comet424

so here you seen i grayed out all the rules.. and i created a new rule.. you see i have internet traffic but im block no internet.. yet it shows i i should be getting internet..

as you see in the gateway.. I am connected to the internet fine as i get a gateway but i have 100 percent loss... so where in rules is it blocking 100%
no internet4.JPG no internet3.JPG

Derelict

Your PPPoE is offline. Where is the traffic supposed to go?

comet424

ugh ill post picture.. like i said its nto offline
its up and you see 10.11.13.49 gateway monitor is 10.11.13.49
so its up but just a sec ill get you a photo
thats why i ask where else could it be blocking?

Derelict

Post the routing table from Diagnostics > Routes.

comet424

if i upload the config file is there an editor for you or diagnostic program to see whats wrong?
as reboots dont help
no internet7.JPG no internet6.JPG no internet5.JPG

sorry takes a bit to send back pics
as i restore the few days ago config to send you the pics but load up the config file we worked on in this topic and it just glitched or something and i wanna be able to figure it out incase it has happened again.. as its happened in 2 other times last year but all i did was format and started over... but since i have bunch of stuff setup i dont wanna format.. i wanna find out what went wrong

comet424

could it be because i use a gaming computer motherboard and non ECC ram... and while it was doing a save it saved a corrupt setting to block the internet..
as i always hear you want ECC ram for a server is it possible .. as i was looking at 1U Server supermicro but at 1200 + just to make pfsesne... my gaming computer under 500 was cheaper way

comet424

ok found the problem well kinda...
That Floating No WAN Egress is being applied when its not supposed to be called

and i tried scrolling up but i cant see the settings you told me but this is what i have.. ...

so even though no TAG is being called on any of the rules other then the 2 for 192.168.0.11

its like the rules are calling Tag No Wan Egress by default and not when its supposed to

floating 3.JPG floating 2.JPG Floating 1.JPG

comet424

here is that default lan settings... even though the tag is blank its still calling that floating no wan egress because if i un disable no wan egress tag under floating
internet is blocked
its like its being called hidden in the background

comet424

here is the one ip rule that calls the tag that should only be called when vpn is down but seems to being called whenever it wants to

comet424

so what i found is
if i reactivate the Floating Rule No Wan EGRESS
internet works fine..

but if i Do a reboot of Pfsense.. then that No Wan Egresss gets automaticlly loaded by default then blocks internet

then when i Disable Floating Rule
i get the internet back

then if i enable it internet seems to work fine and when i set to run VPN and then choose to disable VPN and restart it.. WAN is now 100% packet loss again
so i re disabled the Floating Wan Egress

it seems it loads it up like a windows service without being asked to... is there another setting to set so it doesnt do that?

maybe something i didnt check off

Derelict

Again, my suggestion is to save a backup copy of your current config and reset to defaults and start over. I really have no idea what you put where to break this and these screen captures of irrelevant data are solving nothing.

But before you do that, just put a LEGIBLE copy of /tmp/rules.debug in a chat to me please.

Diagnostics > Command Prompt

Execute cat /tmp/rules.debug

Copy / paste.
Thanks.

comet424

ugh
well i gave you screen shots of
-Tag No Wan Egress you told me to type
-LAN Net Default of Pfsense
-NordVPN 192.168.0.11 with TAG No Wan Egress

i was showing you each break down to show you that the Tag No Wan Egreess and i didnt do anything wrong..
and was showing you that No Wan Egress Tag gets loaded automaticlly not just when its supposed to

but ugh reset defaults then i gotta do all the Static Ip renamings i have too didnt wanna reset.. i wanted to fix this why

but ok ill get you the copy just a moment.. just frustrated

comet424

well you cant post rules its considered spam by your spam program forum.. i attached a text file of it hope it worksrules.txt

comet424

i didnt un gray the floating no wan egress so i dont know if that rule will show up

comet424

here is rules 2.. I enabled Floating No Wan Egress and re ran that debug cat thing you told me to do... hopefully you find my error as your smarter then me at this stuff

rules2.txt

comet424

so 5 min after i enabled the No Wan Egreess Tag under floating options to do the rules2 for you

i lost internet to 100 percent loss

so its still loading it some how

Derelict

What do you have set for this:

System > Advanced, Miscellaneous, Skip rules when gateway is down

Look. This stuff is extremely complicated. You really have to know exactly what you are doing to pull this kind of policy routing off. You have multiple OpenVPN clients and you want certain LAN hosts to behave one way and certain LAN hosts to behave another.

The NO_WAN_EGRESS rules I sent will not do ANYTHING to connections that do not originate from that source host.

You are refusing my suggestion of starting over from the beginning.

You are policy routing everything from LAN to the OpenVPN gateway. is gateway monitoring enabled there? Does the system even recognize the OpenVPN is down? If not, it will continue to send the traffic out the OpenVPN.

"100 percent loss" is not a trouble description. I understand you are frustrated. More details might be necessary.

comet424

and sorry if the screen shots are irrevelent to the settings
as i been told i have to post screen shots of the settings i do.. as you guys arent willing to watch videos... and i got blasted last year for not posting screen shots of what i was doing..

was only trying to show you the settings i set... didnt mean to make it irrvelent.. to me they were relevent as its the stuff you told me to set..
sorry about that

Derelict

It would help if you followed my instructions exactly.

Derelict about 19 hours ago

Make a rule for that specific source host above the NORDVPN rules.

Make it just like the other rule, but with a source of that host address instead of LAN net, policy routing to NORDVPN.

Add the following advanced option:

Tag: NO_WAN_EGRESS

Make a floating rule in Firewall > Rules, Floating

Action: Reject
Quick: Checked
Interface: WAN
Direction: Out
Source: Any
Destination: Any

Display Advanced

Tagged: NO_WAN_EGRESS

TAG on LAN
TAGGED on WAN

The former SETS the tag
The latter MATCHES the tag previously set by the LAN rules.