Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    VPN Group + a Kill Switch

    Scheduled Pinned Locked Moved OpenVPN
    22 Posts 4 Posters 2.9k Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T Offline
      techtester-m @johnpoz
      last edited by

      @johnpoz You see my friend? This is how you answer the new guy (see entry: Derelict)!

      Also, to address your mocking answer - Yes! As someone who served in the Intelligence Forces/Agencies I can tell you that in the future (and present) A-L-L Networks around the world (Home or Enterprise) should (and sometimes even MUST) work like that!

      1. Many companies and countries use cyber attacks against each other every day.
      2. Hackers get more and more sophisticated.
      3. You probably have no idea about the usages of even the simplest data collection.
        Sometimes even a junior agent/soldier get access to a civilian data and even the stupidest most naive online
        searches like: "Marihuana", "What is the Dark Web", "Donald Trump Speeches", "Edward Snowden", your bank accounts, your political views, taste in music and your entire online activity/life as naive and/or curious as it would be, can be used against you or even just for fun creating false flags about you, your neighbours, your political opponents etc. Even if it was an innocent online search/activity or was searched by someone else (your friends, family members etc.) with access to your mobile phone, pc, laptop etc.

      Trust me, I've seen and heard it all, sometimes from a first source.

      Never underestimate your privacy and security! Never! The stupidest things you never took seriously or thought about, can be used against you one day with little to no adjustments and/or fake data/human or machine interpretation mixed with your real data.

      The cliche of "I have nothing to hide" that makes people unaware and not thinking about security much, well...is useless, irrelevant and even damaging these days and especially in the future.

      And that, my friend, is why many people and businesses around the world ask for such a protection and hence why
      I, a programmer, am also learning CCNA, Networking, VPN (OpenVPN), pfSense, "Kill Switches" etc.

      1 Reply Last reply Reply Quote 0
      • T Offline
        techtester-m @Derelict
        last edited by techtester-m

        @Derelict I'll try again - I gave the LAN net firewall rule the TAG NO_WAN_EGRESS and then "told" the Floating rule to block all the packets (on the WAN interface) that are TAGGED as such (NO_WAN_EGRESS). Seems ok to me I just want your final approval please :).

        Cheers!

        1 Reply Last reply Reply Quote 0
        • DerelictD Offline
          Derelict LAYER 8 Netgate
          last edited by

          I don't "approve" descriptions of what you think you have done. Screen shots or /tmp/rules.debug

          Does it test ok? Only you can be responsible for your own network.

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          T 1 Reply Last reply Reply Quote 0
          • T Offline
            techtester-m @Derelict
            last edited by

            @Derelict Ok...I did my best and created a PDF document with the complete Firewall rules (2 Rules).
            Can't upload PDFs here so I uploaded it to https://www.docdroid.net/.

            PDF: https://www.docdroid.net/TRSrOi4/firewall-rules.pdf

            Please have a look and confirm it's ok. I wanna go to sleep knowing this solution is EXACTLY what you meant lol.

            Thanks,

            1 Reply Last reply Reply Quote 0
            • M Offline
              mcury Rebel Alliance
              last edited by

              You could set a NO NAT rule, from LAN to WAN, as a kill switch... or tag.. not sure what's easier

              dead on arrival, nowhere to be found.

              T 1 Reply Last reply Reply Quote 1
              • T Offline
                techtester-m @mcury
                last edited by techtester-m

                @mcury I see. Well...I don't mind what would be easier for me as much as what's "the best practice" or "most readable" or the fastest for the pfSense Firewall to execute.

                Thanks for the input,

                1 Reply Last reply Reply Quote 0
                • DerelictD Offline
                  Derelict LAYER 8 Netgate
                  last edited by

                  Don't "block" traffic with things like no NAT rules.

                  Block traffic with firewall rules that block the traffic you don't want to pass.

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  T 1 Reply Last reply Reply Quote 0
                  • T Offline
                    techtester-m @Derelict
                    last edited by techtester-m

                    @Derelict Is this an answer to my last question of what's the "best practice" or are we still talking about the Kill Switch? lol. Btw, the Kill Switch(es) work like a charm! Thanks a lot!

                    1 Reply Last reply Reply Quote 0
                    • DerelictD Offline
                      Derelict LAYER 8 Netgate
                      last edited by

                      It applies to anything. If you want to block traffic, block it. Don't use exclusions to policy routing, exclusions to NAT, or passing to everything except ! something. If you want it blocked, block it.

                      Chattanooga, Tennessee, USA
                      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                      T 1 Reply Last reply Reply Quote 1
                      • T Offline
                        techtester-m @Derelict
                        last edited by

                        @Derelict If you could also answer my other (new) question here: https://forum.netgate.com/topic/147323/openvpn-the-clash-of-gateways

                        Thank you very much,

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.