Help needed for VPN failure returning connection to ISP asdress



  • Need some help here on OPENVPN client and firewall settings.

    Have been trying to get pfsense 2.3.2 to kill the Internet connection to clients connected to the VPN when the VPN dies and NOT have it return to the ISP address. PfSENSE seems to automatically ignore  firewall settings to block the ISP address and always reverts back to it. Surely the whole point of a VPN is anonymity and quietly returning to the ISP address on VPN failure is a huge security problem.

    Have tried everything I can think of including NO_WAN_EGRESS which works except it also kills access to my modem stats page on local 192.168.2.1 address and I cant work out how to prevent blocking of local addresses but keeping the ISP address at bay.

    I was using tomato shibby DDWRT and had designated MAC address filtering to allow set clients to receive VPN connections only and others to get a straight ISP address.  Cant find a way to do this on pfsense either.

    Anyways, it would be really helpful if someone has an answer to this problem as it seems to be a pretty basic requirement for VPN setups.



  • Go in System/Advanced/Miscellaneous and check "Skip rules when gateway is down".



  • Thanks - that does kill Internet on dead VPN

    Is there a way to allow modem stats pages from local address 192.68.2.1 with this rule in place? As not being able to see the Internet status etc is a pia.

    I'm thinking that as 192.168.2.1 is the modem address allowing it would allow access to the ISP address also .

    It would be a really good idea to have a kill Internet button on the OPENVPN client setup page to circumvent a huge learning curve for simpletons - or am I missing something here?



  • @qu101:

    I was using tomato shibby DDWRT and had designated MAC address filtering to allow set clients to receive VPN connections only and others to get a straight ISP address.  Cant find a way to do this on pfsense either.

    Anyways, it would be really helpful if someone has an answer to this problem as it seems to be a pretty basic requirement for VPN setups.

    I don't think this is possible using pfSense, try to take a look here:
    https://forum.pfsense.org/index.php?topic=115949.msg643659#msg643659

    In Firewall->Rules you can surely filter the devices by IP address and to make things easier you can group in Aliases all the IP addresses to be used in these rules.



  • I think here you will find some useful information
    https://forum.pfsense.org/index.php?topic=116626.0


Log in to reply