Modem access and vpn kill swtich



  • Hi,

    First off, I'm a bit of a noob when it comes to pfsense but thanks to this forum I have managed to get my pfsense install working :-)

    I have a PIA VPN set up and working and a few block rules in LAN to block devices that I don't want to have Internet access.

    I have set up access to my bridge modem using the pfsense guides and have the modem interface labeled as 'modem access', it works fine.

    The problem I have is IF I create a so called vpn kill switch using the 'NO_WAN_EGRESS' mythology that is posted in the forum, it prevents access to the bridge modem, it does stop Internet access when the vpn goes down as it should.

    I have attached a snapshot of my LAN rules page, the rule marked in green is the default LAN rule modified to use the vpn interface as a gateway and the NO_WAN_EGRESS tag has been added as well as a floating block rule.

    So far so good for the vpn but there is no modem access, however if I remove the gateway from the LAN rule, I have access to the modem, add the gateway and modem access stops.

    After trying with various rules I discovered that by adding a new rule, marked in red, I can access the modem and have the vpn kill switch working, this to my limited knowledge seem OK but I wonder if its the best safe method, I would appreciate someone here looking at the rules to see if its the right way to achieve what I want to do.

    Besides these rules and the floating rule for the 'NO_WAN_EGRESS' I have no other rules except the defaults.

    Thanks !
    –-
    ![lan rules2.png](/public/imported_attachments/1/lan rules2.png)
    ![lan rules2.png_thumb](/public/imported_attachments/1/lan rules2.png_thumb)


  • Rebel Alliance Global Moderator

    Why do you need a vpn kill switch?  And if you did want a vpn kill switch, why would you kill the whole internet connection and not just kill the vpn connection?



  • @johnpoz:

    Why do you need a vpn kill switch?  And if you did want a vpn kill switch, why would you kill the whole internet connection and not just kill the vpn connection?

    I want the whole internet to go down with the vpn, I want my router /firewall to drop the connection to the WAN if the vpn goes down no use being neked online !

    I HAVE NOTHING AGAINST THE ENTIRE INTERNET.

    Thanks


  • Rebel Alliance Global Moderator

    But you have your tinfoil hat to protect you don't you? ;)



  • I want the whole internet to go down

    I don't think other people would be happy with you killing the Internet!  ;)



  • I'm sure that somewhere in your humorous replies is a coded message that hints at one of you guys looking over my rules and seeing if they are the best option for what I need :-)

    I guess asking about a kill switch was just asking for trouble here, being Friday and all  :P

    Thanks


  • Netgate

    You have a rule that passes traffic to your MODEMACCESS_NET. (Note that said rule is TCP-only so if you are trying to ping that won't match as that is ICMP).

    You have a rule below that that routes traffic to PIA. Presumably you set the NO_WAN_EGRESS flag on that rule. Then you have a floating rule on WAN out that blocks all traffic that has the NO_WAN_EGRESS flag set. It's not mythology. It does exactly what it is supposed to do and is really the only way to do it since you cannot match inside (pre-nat) source hosts on WAN out floating rules as NAT has already occurred there.) Just because you don't understand something does not make it mythical.

    That will NOT block traffic to the MODEMACCESS_NET. If it does, it is something else doing the blocking or your MODEMACCESS_NET rule is not doing what you think it is doing. (See TCP-only comment above).



  • Thank you Derelict for replying in detail, much appreciated.

    I took note of the TCP pointer and changed it to suit.

    I have a grasp of most commercial off the shelf routers but pfsense is a totally different thing and takes some working out, hence my concern about adding rules, it may work to me but to more experienced people, there may be better ways to achieve my aims.

    Thank you


  • Netgate

    Was your problem the TCP-only rule or is it still not working as expected?



  • Sorry I should have mentioned,

    NOW, as the rules stand, I have the vpn and when it drops so does the Internet to the clients,(I think that the right terminology )

    I have full access to the bridge modem, after changing the protocol I can now ping it as well, I missed that so thank you for pointing it out.

    The three blocking rules to the clients I have blocked appear to work as expected.

    So long as this is the correct way to do this I am happy, Ive done some packet captures to the WAN and LAN and everything seems OK.

    Thanks
    –-


  • Netgate

    It is actually access to the internet from the clients, but glad it's working.

    Yes, I feel that is the best way to accomplish that task. It is essentially saying "If it was supposed to go out the VPN, do not let it out WAN."



  • @Derelict:

    It is actually access to the internet from the clients, but glad it's working.

    Yes, I feel that is the best way to accomplish that task. It is essentially saying "If it was supposed to go out the VPN, do not let it out WAN."

    That has to be the best explanation of this I have read, one simple sentence makes things so clear.

    Thanks,
    –-