@Bob-Dig thanks for the interesting hint, tagging looks like a great feature! So basically I am tagging all (!) my current rules in the LAN section where I define which traffic is allowed and that it goes through the OpenVPN gateway. And the I setup a rule which rejects all traffic which is tagged and goes to WAN, correct? How do I make sure that the only connection the pfsense can do itself will be to VPN Providers DNS and OpenVPN Servers? As far as I understand this can also be done via "floating rules": Floating Rules can: Filter traffic from the firewall itself Filter traffic in the outbound direction (all other tabs are Inbound processing only) https://docs.netgate.com/pfsense/en/latest/firewall/floating-rules.html [...] -Tom

And edited the title Thanks again for all your help and time, Much appreciated