Block all outgoing traffic from LAN network except VPN server for remote access



  • I'm building a virtual lab with pfSense as the gateway.  I have a VPN server running in bridged mode that gives remote (from the WAN) access to the internal LAN network.

    How do I configure the firewall to block all outgoing traffic from the LAN network to the WAN whilst still enabling the LAN clients to communicate with each other and the VPN server to provide remote access to the LAN?



  • On the LAN side, all your LAN clients are plugged into the same switch infrastructure, then one link from that to the LAN port on pfSense?  If so, then pfSense would not be involved in LAN-LAN communications at all, that would go through the switch infrastructure.

    Blocking all LAN clients from going out the WAN:  add a rule on the LAN interface that is deny all from LAN to ANY, put it at the top.
    If the VPN server is a pingable address from the LAN side, the ANY in the block rule should probably be !VPNSERVER.
    WAN defaults to blocking all inbound traffic, so you may need to add a pass rule for traffic from the VPN server.