Want to Block 1IP from using Internet when VPN goes down



  • hi i thought i had this working a while ago but i noticed i didnt

    i use a VPN  for my entire network..  
    

    and when the vpn goes down my internet usually works as i have it set as the next rule below the VPN rule
    but i have a rule above it to block WAN interface to <Network IPS Only for VPN>

    and it blocks any but it does kinda work it blocks Internet explorer blocks pings

    but what i noticed is i have Utorrent running on that computer... and yet its still working its not being block... i not at home to send screen shots and i been fiddling ealier but i figured id ask

    is there a good already topic or article to show

    VPN ----->Entire Network
    If VPN Goes Down -----Fall Over to Regular WAN
    But Do Not Let <Blocked Network IPS> from Using WAN Interface when VPN Is Down

    im not sure if i need to be in firewall or NAT so if i need to be moved please do so



  • here are the pics of the RULES and NAT settings... it kinda works
    if VPN goes down.. Internet still leaks to the IP address of 192.168.0.11 that should never see a WAN connection.. only a NordVPN connection.. it takes about 5 min of leaking before it stops allowing internet to leak through when the VPN goes down

    how do i fix it what do i need to change.. and that double vpncanada block one was ment to be usa one fixed that
    nata2.JPG nata1.JPG


  • LAYER 8 Netgate

    Make a rule for that specific source host above the NORDVPN rules.

    Make it just like the other rule, but with a source of that host address instead of LAN net, policy routing to NORDVPN.

    Add the following advanced option:

    Tag: NO_WAN_EGRESS

    Make a floating rule in Firewall > Rules, Floating

    Action: Reject
    Quick: Checked
    Interface: WAN
    Direction: Out
    Source: Any
    Destination: Any

    Display Advanced

    Tagged: NO_WAN_EGRESS



  • ok so does the Taging mean Link To Floating thing i guess its a kinda of Rule to Block like an Allias
    so No Wan Egress means do not allow any connection OUT to the WAN but will it allow inncoming connections? as i see it has any in out as options

    i think i did it correctly to your settings.. so why was it leaking?
    or what did i do wrong
    and could you tell me if i change VPNs from Canada to USA the data still goes to the First VPN which is the Canada on the LAN net connection i have tried setting the * Destitnation to to NordVPN_Canada Address and Net and it doesnt help as i tried to keep it seperate i know im doing something wrong..

    and I plan to add a Guest Network so i wanna make sure its on that 192.168.0.11 so if VPN goes down i dont want them using my regular WAN as i dont know what they doing and i dont have blocking programs to block websites etc
    so id use an Allias like i did for the Gaming Consolse right?

    i appreciate the help so far...
    nata4.JPG nata3.JPG



  • if i forgot to add something or you see something i need to delete or change let me know...

    and the mulitple Xbox Blocks.. is i found it was the only way to get OPEN NAT for Xbox once i blocked all those

    and i figured Blocking NAT fro 192.168.0.11 to WAN on the NAT and i figured that would stop internet and it didnt i dunno why?

    i still learning im a home user not in the IT field so i learning as i go


  • LAYER 8 Netgate

    NO_WAN_EGRESS is just a text phrase. You could use JKHIHEJIFUBIDS as long as the tag set when the connection enters the firewall matches the tag the outbound floating rule is matching on.

    All we are doing is setting a tag on the connection whenever one arrives on LAN from that IP address and blocking anything with that tag that tries to leave WAN.

    More here



  • ah ok and how come you need the Floating Block.. how come the Rules isnt good enough or the Blocks i put on it... do i remove those Block's in the Rules or do i keep it in there

    so the Tag is like the Alias's then...
    i figured the Block i did was good enough where i said Block Wan Interface



  • ah ok i just read the More here link.. that basiclly what i thought i was doing when i told it to block WAN interferace on the IP address unless its being bypassed i guess?

    least i thought i was blocking


  • LAYER 8 Netgate

    It is nothing like an alias. It is a tag.

    You cannot block outbound on WAN for traffic from a certain inside host address because outbound NAT has already occurred so the source address has been translated and will not match. So you set that special tag when matching traffic arrives on the LAN interface and block anything with that tag on the way out WAN.

    Believe me. Once you understand what it's doing it's the only way that makes any sense in this case.

    No. All you are doing with that rule is blocking connections with a destination address of your WAN address on your firewall. That probably won't ever block anything.



  • ok reason i said alias.. as in you give a name and it does a function... like Game consoles it does a function of recording the IP address's of all the game consoles under the "Game Consoles" alias name

    soo how do you know when to use Tags to Block or how you know when you can use the Reject/Block options under NAT or Rules
    and so what it does now
    is LAN Net (any IP on the LAN ) use NordVPN But If it Tries to use the WAN when VPN goes down then goto aka NO WAN REGRESS.. block that connection...

    so what ones should i Delete? the WAN blocks i had
    and is there a way to make the NORDVPNs if im on USA it keeps using the Canada Setting one in the Rules.. i tried replacing the Desitination * to NordVPN_Canada NET or Address and for USA too... and when i choose usa still doesnt work right ...

    and is there a better way for the NAT Blocking XBOX or is that ok... was only way i got Xbox to Ever Work with the Double NAT Moderate NAT .. and was only way to get it to OPEN

    and i appolgize if i dont make sense.. I have dislexia, and learning disability.... so it sounds right in my head or i try to understand and lots of times i confuse people.. so i hope i didnt and if so ask and ill try to re write what i mean...

    but i do appreciate your help... always learning


  • LAYER 8 Netgate

    You use block/reject rules when you want to block traffic entering the firewall.

    You cannot do that because you want to pass that traffic into the firewall, but only block it when it tries to take a certain path out.

    That More link I gave covers all of this. It's for pfSense 2.2.X but it all still applies.

    No idea on the Xbox or what special requirements it has. There is a specific gaming category here.



  • ok i kinda understand.. and thats why i get confused if im blocking WAN interface to a specific ip address under LAN headding why it doesnt block it i get it for the VPN
    or is it because im running a VPN that the those block s (in image i grayed now) dotn work

    but if i simply had no VPN and blocked it like i did that would work no need for a tag??

    and here i show i tried doing this but trying to make sure that the LAN net to go through the NordVPNCanada Dest and Gatatway Canada...
    or when i use the NordVPN Dest USA and GateaWay USA i trying to make it go through it.. but you see i tried net and address

    and what happens it skips all that and just goes to the bottom and runs the Plain WAN internet connection

    would you happen to know how to set it soo
    when i use OpenVPN Canada NordVPN use the Canada GateWay
    when i use OpenVPN USA NordVPN use the USA Gateway not the Canada

    do i need to Do a TAG? can you add mulitple Tags..

    as for the Xbox one ya i tried i the only one in that forum that was trying to get VPN and WAN and XBOX to work together... no real help there as it was just Regular WAN and XBOX settings..
    so i played for hours getting it to work what i did...

    but here is the pic... if its not possible to route the VPN to the specific Gateway then no worries ill just deal with it using the first one i guess.. its just i sometimes turn off Canada and turn on USA and vise versa...
    nata5.JPG


  • LAYER 8 Netgate

    One issue at a time.



  • ah ok i having an issue. i was testing the turn off vpn to see that the computer gets blocked.. it worked... i tried turning on the VPN i couldnt... it shows i get internet on the lan net after the vpns but i get no internet..
    i saved the configuration and restored to earlier one from yesterday.. and internet worked...
    i reloaded the saved config you helped me with.. and i have no internet.. something went a muck i cant find an error.. cant even ping google in pfsense is there a way to find out if there is a glitch or a toggle switch is blocking everything by accident
    here is the rules i have saved... which i should have internet but i dont
    internet not working.JPG

    i should be getting internet with the VPN turned off... but im not it shows data but i getting nothing


  • LAYER 8 Netgate

    The only rules you have routing out to WAN_PPPOE are from Games_Consoles

    I suggest starting over with a default configuration and doing one thing at a time, getting that working, then doing one more thing, getting that working, etc.



  • thats correct... Game consoles goes out the WAN PPPOE

    then the 192.168.0.11 Uses VPN Tag No WAN EEEGREES
    then LAN net * * * * * next is using the Default Internat WAN_PPPOE becuse VPN is down

    right now internet is totally disabled
    even if you put the Default LAN allow lan rule to the top internet is disabled even after a reboot... so i not sure what happened in this config.. if it corrupted or something that its using the Default Internet but yet its blocking it at the same time which is the PPP0E

    but guess ill go back to yesterdays config.. which is what you saw earlier screen shots when you told me to do the Tag Egress... thats the default we started with today which was working... and after i did what you told me and i then turned off VPN no internet works.. so thats frustrating

    but ill try again tommorow as i tired... i appreciate the help so far


  • LAYER 8 Netgate

    Then you did not do what I said because what I said would have only impacted traffic from that single host.



  • yes i did what you said
    like i said it was working When I turned off VPN disabled it the 192.168.0.11 lost internet
    but trying to reactivate it... wouldnt work
    and then my entire internet was lost...
    as you can see i moved Lan Net to the top so it bypass's VPN you see it says its accessing internet yet nothing on the entire network has internet... its like its disabled but only thing i changed was the adding of the policy of Float and the Tag to the specific IP address

    like i said
    it was working then i disabled OpenVPN Client so i could see that 192.168.0.11 lost internet... i then tried reactivating my NordVPN client wasnt able to..

    i now lost entire internet as it usually just skips the vpn and i uually use the WAN interface... but it isnt doing that... and i cant reconnect

    but if i roll back to the day before the one i started with... VPN can log in.. i switch back to what we did its like the WAN connection is blocked on the network
    i have had this kinda issue 3 times out out of the entire year since jan 2018 i noticed...
    if i send the config file you able to see what its blocking?
    but here is the rules

    no internet2.JPG no internet1.JPG



  • so here you seen i grayed out all the rules.. and i created a new rule.. you see i have internet traffic but im block no internet.. yet it shows i i should be getting internet..

    as you see in the gateway.. I am connected to the internet fine as i get a gateway but i have 100 percent loss... so where in rules is it blocking 100%
    no internet4.JPG no internet3.JPG


  • LAYER 8 Netgate

    Your PPPoE is offline. Where is the traffic supposed to go?



  • ugh ill post picture.. like i said its nto offline
    its up and you see 10.11.13.49 gateway monitor is 10.11.13.49
    so its up but just a sec ill get you a photo
    thats why i ask where else could it be blocking?


  • LAYER 8 Netgate

    Post the routing table from Diagnostics > Routes.



  • if i upload the config file is there an editor for you or diagnostic program to see whats wrong?
    as reboots dont help
    no internet7.JPG no internet6.JPG no internet5.JPG

    sorry takes a bit to send back pics
    as i restore the few days ago config to send you the pics but load up the config file we worked on in this topic and it just glitched or something and i wanna be able to figure it out incase it has happened again.. as its happened in 2 other times last year but all i did was format and started over... but since i have bunch of stuff setup i dont wanna format.. i wanna find out what went wrong



  • could it be because i use a gaming computer motherboard and non ECC ram... and while it was doing a save it saved a corrupt setting to block the internet..
    as i always hear you want ECC ram for a server is it possible .. as i was looking at 1U Server supermicro but at 1200 + just to make pfsesne... my gaming computer under 500 was cheaper way



  • ok found the problem well kinda...
    That Floating No WAN Egress is being applied when its not supposed to be called

    and i tried scrolling up but i cant see the settings you told me but this is what i have.. ...

    so even though no TAG is being called on any of the rules other then the 2 for 192.168.0.11

    its like the rules are calling Tag No Wan Egress by default and not when its supposed to

    floating 3.JPG floating 2.JPG Floating 1.JPG



  • here is that default lan settings... even though the tag is blank its still calling that floating no wan egress because if i un disable no wan egress tag under floating
    internet is blocked
    its like its being called hidden in the background
    lannet1.JPG
    lannet2.JPG
    lannet3.JPG



  • here is the one ip rule that calls the tag that should only be called when vpn is down but seems to being called whenever it wants to
    block1.JPG



  • so what i found is
    if i reactivate the Floating Rule No Wan EGRESS
    internet works fine..

    but if i Do a reboot of Pfsense.. then that No Wan Egresss gets automaticlly loaded by default then blocks internet

    then when i Disable Floating Rule
    i get the internet back

    then if i enable it internet seems to work fine and when i set to run VPN and then choose to disable VPN and restart it.. WAN is now 100% packet loss again
    so i re disabled the Floating Wan Egress

    it seems it loads it up like a windows service without being asked to... is there another setting to set so it doesnt do that?

    maybe something i didnt check off


  • LAYER 8 Netgate

    Again, my suggestion is to save a backup copy of your current config and reset to defaults and start over. I really have no idea what you put where to break this and these screen captures of irrelevant data are solving nothing.

    But before you do that, just put a LEGIBLE copy of /tmp/rules.debug in a chat to me please.

    Diagnostics > Command Prompt

    Execute cat /tmp/rules.debug

    Copy / paste.
    Thanks.



  • ugh
    well i gave you screen shots of
    -Tag No Wan Egress you told me to type
    -LAN Net Default of Pfsense
    -NordVPN 192.168.0.11 with TAG No Wan Egress

    i was showing you each break down to show you that the Tag No Wan Egreess and i didnt do anything wrong..
    and was showing you that No Wan Egress Tag gets loaded automaticlly not just when its supposed to

    but ugh reset defaults then i gotta do all the Static Ip renamings i have too didnt wanna reset.. i wanted to fix this why

    but ok ill get you the copy just a moment.. just frustrated



  • well you cant post rules its considered spam by your spam program forum.. i attached a text file of it hope it worksrules.txt



  • i didnt un gray the floating no wan egress so i dont know if that rule will show up



  • here is rules 2.. I enabled Floating No Wan Egress and re ran that debug cat thing you told me to do... hopefully you find my error as your smarter then me at this stuff

    rules2.txt



  • so 5 min after i enabled the No Wan Egreess Tag under floating options to do the rules2 for you

    i lost internet to 100 percent loss

    so its still loading it some how


  • LAYER 8 Netgate

    What do you have set for this:

    System > Advanced, Miscellaneous, Skip rules when gateway is down

    Look. This stuff is extremely complicated. You really have to know exactly what you are doing to pull this kind of policy routing off. You have multiple OpenVPN clients and you want certain LAN hosts to behave one way and certain LAN hosts to behave another.

    The NO_WAN_EGRESS rules I sent will not do ANYTHING to connections that do not originate from that source host.

    You are refusing my suggestion of starting over from the beginning.

    You are policy routing everything from LAN to the OpenVPN gateway. is gateway monitoring enabled there? Does the system even recognize the OpenVPN is down? If not, it will continue to send the traffic out the OpenVPN.

    "100 percent loss" is not a trouble description. I understand you are frustrated. More details might be necessary.



  • and sorry if the screen shots are irrevelent to the settings
    as i been told i have to post screen shots of the settings i do.. as you guys arent willing to watch videos... and i got blasted last year for not posting screen shots of what i was doing..

    was only trying to show you the settings i set... didnt mean to make it irrvelent.. to me they were relevent as its the stuff you told me to set..
    sorry about that


  • LAYER 8 Netgate

    It would help if you followed my instructions exactly.

    Derelict about 19 hours ago

    Make a rule for that specific source host above the NORDVPN rules.

    Make it just like the other rule, but with a source of that host address instead of LAN net, policy routing to NORDVPN.

    Add the following advanced option:

    Tag: NO_WAN_EGRESS

    Make a floating rule in Firewall > Rules, Floating

    Action: Reject
    Quick: Checked
    Interface: WAN
    Direction: Out
    Source: Any
    Destination: Any

    Display Advanced

    Tagged: NO_WAN_EGRESS

    TAG on LAN
    TAGGED on WAN

    The former SETS the tag
    The latter MATCHES the tag previously set by the LAN rules.



  • i get that t he No Wan Egree rule only to that

    but ill make a video and prove your wrong its not doing that.. its doing it on its own cuz your not believing me..

    and i didnt refuse of starting over.. i told you ok in the one reply i said i didnt wanna cuz thats alot of typing and figuring where all the settings god..

    yes I got different openVPNs

    so what i have is
    WAN ----> Only For Game Consoles
    NORDVPN USA for entire Network
    NORDVPN CANADA for entire Network these 2 is when i wanna be in usa or in canada
    OPENVPNSERVEr ---->> so i can Remote access my network from away from the home

    and i wouldnt know if gateway monitoring enabled..

    and ya the system knows when NordVPN goes down... either i get a email from my ISP my son did something bad which i told him to stop ... or my internet goes down and then im using my WAN IP address so it falls over

    i only had issues because you told me i had the rules set wrong for when VPN goes down and to make sure no Internet leaking happens..

    and then i find out now that the Floating rule seems to automaticlly load ...
    if i disable all the rules minus that lock out rule Floating Rule No Wan Still gets loaded and 100% packet loss

    but there is monitoring as there is a monitoring IP when i showed the Gateway images

    but here the pics of the misc'smonitor3.JPG monitor2.JPG monitor1.JPG



  • i think i found the error on floating
    i put TAG NO_WAN_EGRESS

    not TAGGED NO_WAN_EGRESS

    guess thats the reason it automaticlly Blocks because i put NO_WAN_EGRESS under TAG

    i really hate dislexia i read Tagged as Tag... ill try that

    So Tag means anything on the Local Network... and TAGGED means anything going out on the internet

    ill re try again thank you for being patient



  • nope didnt work

    having TAG No Wan EGress for the 192.168.0.11 Under NordVPN one

    and having TAGGED No Wan Eggress under Floating

    just lets the 192.168.0.11 get WAN internet instead of blocked..

    shouldnt the Rule be also set to TAGGED not TAG?


Log in to reply