Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Modem access and vpn kill swtich

    Scheduled Pinned Locked Moved Firewalling
    12 Posts 4 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      medway01
      last edited by

      Hi,

      First off, I'm a bit of a noob when it comes to pfsense but thanks to this forum I have managed to get my pfsense install working :-)

      I have a PIA VPN set up and working and a few block rules in LAN to block devices that I don't want to have Internet access.

      I have set up access to my bridge modem using the pfsense guides and have the modem interface labeled as 'modem access', it works fine.

      The problem I have is IF I create a so called vpn kill switch using the 'NO_WAN_EGRESS' mythology that is posted in the forum, it prevents access to the bridge modem, it does stop Internet access when the vpn goes down as it should.

      I have attached a snapshot of my LAN rules page, the rule marked in green is the default LAN rule modified to use the vpn interface as a gateway and the NO_WAN_EGRESS tag has been added as well as a floating block rule.

      So far so good for the vpn but there is no modem access, however if I remove the gateway from the LAN rule, I have access to the modem, add the gateway and modem access stops.

      After trying with various rules I discovered that by adding a new rule, marked in red, I can access the modem and have the vpn kill switch working, this to my limited knowledge seem OK but I wonder if its the best safe method, I would appreciate someone here looking at the rules to see if its the right way to achieve what I want to do.

      Besides these rules and the floating rule for the 'NO_WAN_EGRESS' I have no other rules except the defaults.

      Thanks !
      –-
      ![lan rules2.png](/public/imported_attachments/1/lan rules2.png)
      ![lan rules2.png_thumb](/public/imported_attachments/1/lan rules2.png_thumb)

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        Why do you need a vpn kill switch?  And if you did want a vpn kill switch, why would you kill the whole internet connection and not just kill the vpn connection?

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • M
          medway01
          last edited by

          @johnpoz:

          Why do you need a vpn kill switch?  And if you did want a vpn kill switch, why would you kill the whole internet connection and not just kill the vpn connection?

          I want the whole internet to go down with the vpn, I want my router /firewall to drop the connection to the WAN if the vpn goes down no use being neked online !

          I HAVE NOTHING AGAINST THE ENTIRE INTERNET.

          Thanks

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            But you have your tinfoil hat to protect you don't you? ;)

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • JKnottJ
              JKnott
              last edited by

              I want the whole internet to go down

              I don't think other people would be happy with you killing the Internet!  ;)

              PfSense running on Qotom mini PC
              i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
              UniFi AC-Lite access point

              I haven't lost my mind. It's around here...somewhere...

              1 Reply Last reply Reply Quote 0
              • M
                medway01
                last edited by

                I'm sure that somewhere in your humorous replies is a coded message that hints at one of you guys looking over my rules and seeing if they are the best option for what I need :-)

                I guess asking about a kill switch was just asking for trouble here, being Friday and all  :P

                Thanks

                1 Reply Last reply Reply Quote 0
                • DerelictD
                  Derelict LAYER 8 Netgate
                  last edited by

                  You have a rule that passes traffic to your MODEMACCESS_NET. (Note that said rule is TCP-only so if you are trying to ping that won't match as that is ICMP).

                  You have a rule below that that routes traffic to PIA. Presumably you set the NO_WAN_EGRESS flag on that rule. Then you have a floating rule on WAN out that blocks all traffic that has the NO_WAN_EGRESS flag set. It's not mythology. It does exactly what it is supposed to do and is really the only way to do it since you cannot match inside (pre-nat) source hosts on WAN out floating rules as NAT has already occurred there.) Just because you don't understand something does not make it mythical.

                  That will NOT block traffic to the MODEMACCESS_NET. If it does, it is something else doing the blocking or your MODEMACCESS_NET rule is not doing what you think it is doing. (See TCP-only comment above).

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  1 Reply Last reply Reply Quote 0
                  • M
                    medway01
                    last edited by

                    Thank you Derelict for replying in detail, much appreciated.

                    I took note of the TCP pointer and changed it to suit.

                    I have a grasp of most commercial off the shelf routers but pfsense is a totally different thing and takes some working out, hence my concern about adding rules, it may work to me but to more experienced people, there may be better ways to achieve my aims.

                    Thank you

                    –

                    1 Reply Last reply Reply Quote 0
                    • DerelictD
                      Derelict LAYER 8 Netgate
                      last edited by

                      Was your problem the TCP-only rule or is it still not working as expected?

                      Chattanooga, Tennessee, USA
                      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                      1 Reply Last reply Reply Quote 0
                      • M
                        medway01
                        last edited by

                        Sorry I should have mentioned,

                        NOW, as the rules stand, I have the vpn and when it drops so does the Internet to the clients,(I think that the right terminology )

                        I have full access to the bridge modem, after changing the protocol I can now ping it as well, I missed that so thank you for pointing it out.

                        The three blocking rules to the clients I have blocked appear to work as expected.

                        So long as this is the correct way to do this I am happy, Ive done some packet captures to the WAN and LAN and everything seems OK.

                        Thanks
                        –-

                        1 Reply Last reply Reply Quote 0
                        • DerelictD
                          Derelict LAYER 8 Netgate
                          last edited by

                          It is actually access to the internet from the clients, but glad it's working.

                          Yes, I feel that is the best way to accomplish that task. It is essentially saying "If it was supposed to go out the VPN, do not let it out WAN."

                          Chattanooga, Tennessee, USA
                          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                          Do Not Chat For Help! NO_WAN_EGRESS(TM)

                          1 Reply Last reply Reply Quote 0
                          • M
                            medway01
                            last edited by

                            @Derelict:

                            It is actually access to the internet from the clients, but glad it's working.

                            Yes, I feel that is the best way to accomplish that task. It is essentially saying "If it was supposed to go out the VPN, do not let it out WAN."

                            That has to be the best explanation of this I have read, one simple sentence makes things so clear.

                            Thanks,
                            –-

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.