Blackhole Remote Network addresses if tunnel is down



  • Hi, I'm looking for a way to drop traffic destined for the Phase 2 "Remote Subnet" when the IPSec VPN is down.  This is so that the unencapsulated packets don't just get routed straight onto the wire without being wrapped in IPSec if the tunnel drops.

    The tunnel is not currently up (waiting for response from the other party, which probably won't be for a few days).  When it comes up, will there be a new gateway populated into System/Routing?  If not, I'm not sure how to do this without using the Multi-WAN suggestion to omit rules whose gateway is down, and set a gateway on the "Pass" rule and then put an identical Block rule below it.  The reason I don't like this is because it's a global setting and I'd like to maintain flexibility as much as possible.

    A few ideas I had:

    • Create a new static route for the remote subnet, with a gateway of "Null4 - 127.0.0.1" – this would work fine but I'm not sure if this will be active and take precedence over whatever route gets added when the tunnel comes up?
    • Use an Outbound NAT on the WAN interface that rewrites the source IPs to something useless, like 127.0.0.1.  Then even if the unencrypted packets leak onto the wire, they won't get routed by any downstream devices that see them.
    • Create a new GW marked as Always Up, which is a blackhole route, and use this in a Block rule.  But I wasn't sure if a Block rule will "match" on the Gateway field?  (In other words, does the Gateway setting only apply on Pass rules?)

    I am used to being able to do this on other firewall types using a Metric or Preference, but that option does not seem to be available on pfSense.

    Thank you!


  • Netgate

    Easiest, most thorough way I have found to do that is to create a pass rule on the source interface for the VPN destinations. You probably want to explicitly do this anyway to bypass any policy routing for this traffic.

    On that pass rule, set a Tag. Something like NO_INTERNET.

    Then make a floating Reject rule on WAN out that matches any any any traffic that is Tagged with NO_INTERNET.

    Search the forum for NO_WAN_EGRESS for examples.



  • That is a sweet solution, thank you!

    I searched the pfSense Book earlier for Egress filtering, thinking I could filter on outbound from an interface someplace, but didn't find it.  Didn't realize you could specify direction on Floating rules.  Thanks again!