Mission critical pfSense firewall activities thru VPN ONLY?



  • I want to make sure all my pfSense software updates and any other communication for my pfSense firewall go thru my VPN only. How do I configure this?

    What I think are my relevant configuration to my questions are:
    *I do not have any DNS servers assigned in General -> DNS Server settings
    *Using Unbound (DNS Server Override & Disable DNS Forwarder are not checked in General -> DNS Server settings)
    *In my outbound NAT I have my default 127.0.0.0 going thru VPN only
    *DNS Unbound has its "Outgoing Network Interface" set to my VPN interface ONLY

    I have my seperate VLANs working correctly i.e. Apple TV going thru WAN, others go thru my VPN. My question is specific to any pfSense software updates or any other firewall "home calling".

    Eternally grateful to any thoughts…

    Thanks V


  • Rebel Alliance Developer Netgate

    Outgoing requests from the firewall will follow the default gateway. For updates to go over the VPN, the firewall's default gateway would have to be (at least temporarily) changed to be the VPN.

    The exact method for that varies by VPN



  • I have managed to get my Lan traffic to go thru VPN, however my default gateway is still my WAN. In earlier research I think this was advised….

    I currently use PIA...my wish list would be that all my downloads(pfBlocker lists...some are hourly), pfSense updates, package updates including Snort rules(every day I think...could be weekly) be updated thru VPN.

    Is it a simple case of changing my default gateway to VPN?

    Your point that "temporarily" change and prior experience with initial setup tells me its a little more involved. I couldn't find specifics...

    Any help would be greatly appreciated.
    V



  • I am still trying to find a good solution to secure my software updates(pfsense and packages) and "Cron like" events(Snort, pfBlocker rule/list updates).

    I get how a temporary change might be practical for software updates but for "Cron like" events it likely won't work.

    Any suggested best practices or thoughts?

    Happy New year and thanks again for pfSense and the package work!!!


Log in to reply