Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Need help with firewall rule to block traffic on wan excecpt VPN tunnel

    Firewalling
    2
    5
    1137
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      nils92 last edited by

      Hi guys,

      I need some help as I'm not a professional with pfsense by any means I'm currently running 3 OpenVPN clients on my pfsense box and route websites/clients through them via firewall rules put in the Lan tab which works fine.

      Now I'm wondering what would be the best approach to block all traffic on my WAN network e.g. going via my ISP except what is needed to establish the VPN tunnels?

      Any help appreciated.

      1 Reply Last reply Reply Quote 0
      • I
        isolatedvirus last edited by

        If you're trying to deny outbound access to the internet except for VPN traffic you can use policy based routing through the use of gateways in the advanced portion of firewall rules.

        1 Reply Last reply Reply Quote 0
        • N
          nils92 last edited by

          That's pretty much what I did so far added a deny rule at the end and made aliases for hosts etc that I want to go through the VPN so far it seems to work fine with having 3 different tunnels.

          Only thing that goes directly via WAN seems to be system services and my Squid proxy not sure how I can go about to force it via VPN as well

          1 Reply Last reply Reply Quote 0
          • I
            isolatedvirus last edited by

            if you have a specific tunnel gateway you want to route all traffic through you can create an alias. In the alias include the hosts that would normally traverse that vpn and include the firewall itself.

            1 Reply Last reply Reply Quote 0
            • I
              isolatedvirus last edited by

              ok i just tested this. and it doesnt work.

              It appears that squid will ignore the policy based routing and default to sending traffic out the default gateway.

              There are 2 workarounds. 1 requiring squid to be relocated downstream, the second being changing a default gateway.

              If you want to, you can logically set up your network such that:

              LAN Segments -> Squid proxy -> PFsense firewall.  This will force traffic to obey your policy based routes, but if youre doing source PBR, your PBR will break. Which would require you to route based on destination, or by port/protocol.

              the second workaround is to go to:
              System -> Routing -> Gateways and change your default gateway to one of your vpn providers. This will force traffic that squid intercepts out the VPN of choice. The downside here being if you want to have certain websites route through different VPN providers this breaks as it will force all traffic that squid is proxying out the new default gateway.

              Personally i run squid in transparent mode, on http only. My setup has hosts/websites that i DO NOT want to protect through the vpn. If a host matches my host_vpn_bypass rule it gets dropped direct to wan no matter what the destination is. If ANY host matches a destination listed in my url_vpn_bypass then it gets dropped direct out the wan. This would be accomplished with the PBR rules, PLUS adding the aliases in the proxy bypass section of squid under Services -> Squid Proxy Server.

              Edit:
              Spelling, phrasing, and added more detail.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post

              Products

              • Platform Overview
              • TNSR
              • pfSense Plus
              • Appliances

              Services

              • Training
              • Professional Services

              Support

              • Subscription Plans
              • Contact Support
              • Product Lifecycle
              • Documentation

              News

              • Media Coverage
              • Press
              • Events

              Resources

              • Blog
              • FAQ
              • Find a Partner
              • Resource Library
              • Security Information

              Company

              • About Us
              • Careers
              • Partners
              • Contact Us
              • Legal
              Our Mission

              We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

              Subscribe to our Newsletter

              Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

              © 2021 Rubicon Communications, LLC | Privacy Policy