VPN Group + a Kill Switch
-
If all of the traffic that is supposed to go out the VPN is marked, then, yes, all you have to do is block traffic with that mark out the outbound WAN.
Simple, right?
-
@Derelict VERY simple! Can't believe I even bothered NordVPN support guys with this and more than that - can't believe none of them knew the answer lol. But they're awesome and very nice people.
So just to be clear and 100% sure - I marked NO_WAN_EGRESS under "Tag" in the LAN Firewall rule and the same under "Tagged" in the Floating Firewall rule. Also, deleted all the other Floating rules. That's how it should be right?
-
No idea from that description. It's all in that blog post.
-
@johnpoz You see my friend? This is how you answer the new guy (see entry: Derelict)!
Also, to address your mocking answer - Yes! As someone who served in the Intelligence Forces/Agencies I can tell you that in the future (and present) A-L-L Networks around the world (Home or Enterprise) should (and sometimes even MUST) work like that!
- Many companies and countries use cyber attacks against each other every day.
- Hackers get more and more sophisticated.
- You probably have no idea about the usages of even the simplest data collection.
Sometimes even a junior agent/soldier get access to a civilian data and even the stupidest most naive online
searches like: "Marihuana", "What is the Dark Web", "Donald Trump Speeches", "Edward Snowden", your bank accounts, your political views, taste in music and your entire online activity/life as naive and/or curious as it would be, can be used against you or even just for fun creating false flags about you, your neighbours, your political opponents etc. Even if it was an innocent online search/activity or was searched by someone else (your friends, family members etc.) with access to your mobile phone, pc, laptop etc.
Trust me, I've seen and heard it all, sometimes from a first source.
Never underestimate your privacy and security! Never! The stupidest things you never took seriously or thought about, can be used against you one day with little to no adjustments and/or fake data/human or machine interpretation mixed with your real data.
The cliche of "I have nothing to hide" that makes people unaware and not thinking about security much, well...is useless, irrelevant and even damaging these days and especially in the future.
And that, my friend, is why many people and businesses around the world ask for such a protection and hence why
I, a programmer, am also learning CCNA, Networking, VPN (OpenVPN), pfSense, "Kill Switches" etc. -
@Derelict I'll try again - I gave the LAN net firewall rule the TAG NO_WAN_EGRESS and then "told" the Floating rule to block all the packets (on the WAN interface) that are TAGGED as such (NO_WAN_EGRESS). Seems ok to me I just want your final approval please :).
Cheers!
-
I don't "approve" descriptions of what you think you have done. Screen shots or /tmp/rules.debug
Does it test ok? Only you can be responsible for your own network.
-
@Derelict Ok...I did my best and created a PDF document with the complete Firewall rules (2 Rules).
Can't upload PDFs here so I uploaded it to https://www.docdroid.net/.PDF: https://www.docdroid.net/TRSrOi4/firewall-rules.pdf
Please have a look and confirm it's ok. I wanna go to sleep knowing this solution is EXACTLY what you meant lol.
Thanks,
-
You could set a NO NAT rule, from LAN to WAN, as a kill switch... or tag.. not sure what's easier
-
@mcury I see. Well...I don't mind what would be easier for me as much as what's "the best practice" or "most readable" or the fastest for the pfSense Firewall to execute.
Thanks for the input,
-
Don't "block" traffic with things like no NAT rules.
Block traffic with firewall rules that block the traffic you don't want to pass.
-
@Derelict Is this an answer to my last question of what's the "best practice" or are we still talking about the Kill Switch? lol. Btw, the Kill Switch(es) work like a charm! Thanks a lot!
-
It applies to anything. If you want to block traffic, block it. Don't use exclusions to policy routing, exclusions to NAT, or passing to everything except
!something. If you want it blocked, block it. -
@Derelict If you could also answer my other (new) question here: https://forum.netgate.com/topic/147323/openvpn-the-clash-of-gateways
Thank you very much,
