Blocking selected IPs from accessing the NET if VPN is down



  • Hi,

    I'm pretty new to pfsense and need a little help with some firewall rules.

    I thought I had it sorted until I tested it and well it didn't work the way I thought it would have.

    I have setup a VPN and its working 100% no dramas using this "https://www.youtube.com/watch?v=ybcc-OBi7kQ"

    I've also setup a firewall alias with 3 IPs that should only be able to access the net through the VPN when its connected so if the VPN goes down those IPs in the alias can not access the net. But after downing the VPN to test and see they can still access the net through the default gateway

    So my LAN rules at the moment are

    Act Iface Addr Proto Source GW
    1 Anti-Lockout Rule
    2 Pass LAN IPv4 Any VPNOnly VPN GW
    3 Block LAN IPv4 Any VPNOnly Default GW
    4 Block LAN IPv4 Any 192.168.0.23 Default GW
    5 Pass LAN IPv4 Any LAN net Default GW

    Line 4 was put in as a test thinking it would stop (192.168.0.23)access rights to the net, but it didn't. This just doesn't make sense to me.

    I have used iptables before and to me that should have worked as in unless the VPN is up and running anything in the alias VPNOnly will get blocked, and as I said surely in line 4 blocking 192.168.0.23 directly would stop that IP accessing the default GW but its not.

    So what the hell am I doing wrong here, any help would be very much appreciated.

    Thanks



  • No ones got any ideas at all here?


  • Netgate



  • Thanks for the reply Derelict

    Looking at "https://www.infotechwerx.com/blog/Prevent-Any-Traffic-VPN-Hosts-Egressing-WAN" it looks to be an older version of pfsense and maybe this used to work in the past but it doesn't anymore, but its closer then anything I have found so far.

    The problem with this floating rule is that if the VPN is down when this rule is in place then its stopping the VPN from connecting.

    I might apply the rule after the VPN has connected and if the link drops then all traffic is stopped which isn't exactly what I wanted to do but it will do for the time being.

    Any ideas on a work around?

    Thanks again



  • Worked it out, got it to work with my original rules and a little more tweaking…


  • Netgate

    It works fine. If it didn't work you did it wrong.



  • As I said in the original reply to you I have it working now with my original rules after reading the second link you posted which got me thinking and going about things a little differently so thanks for that it did help in the long run.

    Secondly, it may well work "fine" for you and I'm happy for ya but as I'm not an idiot and can
    follow pretty simple instructions I followed it to the letter! The problem with your little howto is like I said before if the link is connected and it drops for whatever reason it will not reconnect to my VPN (IPVanish)because it blocks "everything" so stopping the VPN from reconnecting, end of story, not what I wanted.

    Now as there are a lot of variables between your system and mine, I'm sure you can understand that
    it didn't work for me for whatever reason but not because "If it didn't work you did it wrong"
    because thats just completely incorrect. It worked a little to well for my system.

    Thanks again for the help.


  • Netgate

    It does nothing of the sort.

    That's the beauty of that tag/match method. If does nothing but block the traffic that should have gone over the VPN from going out WAN. It has nothing to do with what is routed where or what tunnels come up when. It's just a WAN condom for traffic marked as undesirable to allow egress. It does so perfectly.

    OpenVPN does not depend on traffic being generated to bring a tunnel up like IPsec so if you are blaming firewall rules from keeping your tunnel from coming back up your blame is misplaced. An OpenVPN client will continue to attempt to reconnect when disconnected regardless of traffic. Check the OpenVPN logs.

    If it is blocking OpenVPN traffic itself (UDP/1194 out WAN by default, not sure what IPvanish uses) then you, again, did it wrong.



  • So let me get this straight, you're saying that for a VPN to make a connection no traffic is passed through the WAN in any way shape or form for that connection to be made?

    Block port 53 and 1194 if thats what your VPN uses and see how it goes making a connection

    You just cannot seem to admit that it could be something else can you?  ;)


  • Netgate

    You are not getting it at all.

    The link I gave shows a way to mark LAN traffic that is only supposed to go over the VPN as such.

    It blocks that traffic, if so marked, if it goes out the WAN interface, not out the VPN interface (which is tunneled over WAN in most cases but in this case that is moot, because WAN will not see the marks there, only VPN tunnel traffic).

    This has zero to do with the connections made by the firewall itself to establish the VPN tunnel because that traffic never enters the LAN interface where the traffic is marked.

    You are doing it wrong and apparently don't understand what is required to make all of this work.

    You would do well to listen instead of argue if you want to solve your problem correctly.



  • No I understand completely!

    Your to arrogant to admit that the problem could lie else where because you couldn't possibly be WRONG could you.

    And how exactly am I doing it WRONG when I have it WORKING, DO YOU UNDERSTAND "ITS WORKING" WITH THE ORIGINAL RULES" but in your mind I'm doing it wrong, WOW

    I've blocked you as I right now and in future please don't offer me advice as I'm really not interested in anything else you have to say.

    Fantastic thing this "block user", test it out on me will ya.


  • Netgate

    Good luck.


  • Galactic Empire Netgate

    @spud:

    No I understand completely!

    Your to arrogant to admit that the problem could lie else where because you couldn't possibly be WRONG could you.

    And how exactly am I doing it WRONG when I have it WORKING, DO YOU UNDERSTAND "ITS WORKING" WITH THE ORIGINAL RULES" but in your mind I'm doing it wrong, WOW

    I've blocked you as I right now and in future please don't offer me advice as I'm really not interested in anything else you have to say.

    Fantastic thing this "block user", test it out on me will ya.

    Chill out 30 days ban. "Fantastic thing" we the mods have. There's no need for that kind of behavior, Derelict tried to help you.


Locked