Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Help needed for VPN failure returning connection to ISP asdress

    Scheduled Pinned Locked Moved OpenVPN
    5 Posts 2 Posters 923 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Q
      qu101
      last edited by

      Need some help here on OPENVPN client and firewall settings.

      Have been trying to get pfsense 2.3.2 to kill the Internet connection to clients connected to the VPN when the VPN dies and NOT have it return to the ISP address. PfSENSE seems to automatically ignore  firewall settings to block the ISP address and always reverts back to it. Surely the whole point of a VPN is anonymity and quietly returning to the ISP address on VPN failure is a huge security problem.

      Have tried everything I can think of including NO_WAN_EGRESS which works except it also kills access to my modem stats page on local 192.168.2.1 address and I cant work out how to prevent blocking of local addresses but keeping the ISP address at bay.

      I was using tomato shibby DDWRT and had designated MAC address filtering to allow set clients to receive VPN connections only and others to get a straight ISP address.  Cant find a way to do this on pfsense either.

      Anyways, it would be really helpful if someone has an answer to this problem as it seems to be a pretty basic requirement for VPN setups.

      1 Reply Last reply Reply Quote 0
      • M
        mauroman33
        last edited by

        Go in System/Advanced/Miscellaneous and check "Skip rules when gateway is down".

        1 Reply Last reply Reply Quote 0
        • Q
          qu101
          last edited by

          Thanks - that does kill Internet on dead VPN

          Is there a way to allow modem stats pages from local address 192.68.2.1 with this rule in place? As not being able to see the Internet status etc is a pia.

          I'm thinking that as 192.168.2.1 is the modem address allowing it would allow access to the ISP address also .

          It would be a really good idea to have a kill Internet button on the OPENVPN client setup page to circumvent a huge learning curve for simpletons - or am I missing something here?

          1 Reply Last reply Reply Quote 0
          • M
            mauroman33
            last edited by

            @qu101:

            I was using tomato shibby DDWRT and had designated MAC address filtering to allow set clients to receive VPN connections only and others to get a straight ISP address.  Cant find a way to do this on pfsense either.

            Anyways, it would be really helpful if someone has an answer to this problem as it seems to be a pretty basic requirement for VPN setups.

            I don't think this is possible using pfSense, try to take a look here:
            https://forum.pfsense.org/index.php?topic=115949.msg643659#msg643659

            In Firewall->Rules you can surely filter the devices by IP address and to make things easier you can group in Aliases all the IP addresses to be used in these rules.

            1 Reply Last reply Reply Quote 0
            • M
              mauroman33
              last edited by

              I think here you will find some useful information
              https://forum.pfsense.org/index.php?topic=116626.0

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.