Want to Block 1IP from using Internet when VPN goes down
-
hi i thought i had this working a while ago but i noticed i didnt
i use a VPN for my entire network..and when the vpn goes down my internet usually works as i have it set as the next rule below the VPN rule
but i have a rule above it to block WAN interface to <Network IPS Only for VPN>and it blocks any but it does kinda work it blocks Internet explorer blocks pings
but what i noticed is i have Utorrent running on that computer... and yet its still working its not being block... i not at home to send screen shots and i been fiddling ealier but i figured id ask
is there a good already topic or article to show
VPN ----->Entire Network
If VPN Goes Down -----Fall Over to Regular WAN
But Do Not Let <Blocked Network IPS> from Using WAN Interface when VPN Is Downim not sure if i need to be in firewall or NAT so if i need to be moved please do so
-
here are the pics of the RULES and NAT settings... it kinda works
if VPN goes down.. Internet still leaks to the IP address of 192.168.0.11 that should never see a WAN connection.. only a NordVPN connection.. it takes about 5 min of leaking before it stops allowing internet to leak through when the VPN goes downhow do i fix it what do i need to change.. and that double vpncanada block one was ment to be usa one fixed that
-
Make a rule for that specific source host above the NORDVPN rules.
Make it just like the other rule, but with a source of that host address instead of LAN net, policy routing to NORDVPN.
Add the following advanced option:
Tag: NO_WAN_EGRESS
Make a floating rule in Firewall > Rules, Floating
Action: Reject
Quick: Checked
Interface: WAN
Direction: Out
Source: Any
Destination: AnyDisplay Advanced
Tagged: NO_WAN_EGRESS
-
ok so does the Taging mean Link To Floating thing i guess its a kinda of Rule to Block like an Allias
so No Wan Egress means do not allow any connection OUT to the WAN but will it allow inncoming connections? as i see it has any in out as optionsi think i did it correctly to your settings.. so why was it leaking?
or what did i do wrong
and could you tell me if i change VPNs from Canada to USA the data still goes to the First VPN which is the Canada on the LAN net connection i have tried setting the * Destitnation to to NordVPN_Canada Address and Net and it doesnt help as i tried to keep it seperate i know im doing something wrong..and I plan to add a Guest Network so i wanna make sure its on that 192.168.0.11 so if VPN goes down i dont want them using my regular WAN as i dont know what they doing and i dont have blocking programs to block websites etc
so id use an Allias like i did for the Gaming Consolse right?i appreciate the help so far...
-
if i forgot to add something or you see something i need to delete or change let me know...
and the mulitple Xbox Blocks.. is i found it was the only way to get OPEN NAT for Xbox once i blocked all those
and i figured Blocking NAT fro 192.168.0.11 to WAN on the NAT and i figured that would stop internet and it didnt i dunno why?
i still learning im a home user not in the IT field so i learning as i go
-
NO_WAN_EGRESS is just a text phrase. You could use JKHIHEJIFUBIDS as long as the tag set when the connection enters the firewall matches the tag the outbound floating rule is matching on.
All we are doing is setting a tag on the connection whenever one arrives on LAN from that IP address and blocking anything with that tag that tries to leave WAN.
-
ah ok and how come you need the Floating Block.. how come the Rules isnt good enough or the Blocks i put on it... do i remove those Block's in the Rules or do i keep it in there
so the Tag is like the Alias's then...
i figured the Block i did was good enough where i said Block Wan Interface -
ah ok i just read the More here link.. that basiclly what i thought i was doing when i told it to block WAN interferace on the IP address unless its being bypassed i guess?
least i thought i was blocking
-
It is nothing like an alias. It is a tag.
You cannot block outbound on WAN for traffic from a certain inside host address because outbound NAT has already occurred so the source address has been translated and will not match. So you set that special tag when matching traffic arrives on the LAN interface and block anything with that tag on the way out WAN.
Believe me. Once you understand what it's doing it's the only way that makes any sense in this case.
No. All you are doing with that rule is blocking connections with a destination address of your WAN address on your firewall. That probably won't ever block anything.
-
ok reason i said alias.. as in you give a name and it does a function... like Game consoles it does a function of recording the IP address's of all the game consoles under the "Game Consoles" alias name
soo how do you know when to use Tags to Block or how you know when you can use the Reject/Block options under NAT or Rules
and so what it does now
is LAN Net (any IP on the LAN ) use NordVPN But If it Tries to use the WAN when VPN goes down then goto aka NO WAN REGRESS.. block that connection...so what ones should i Delete? the WAN blocks i had
and is there a way to make the NORDVPNs if im on USA it keeps using the Canada Setting one in the Rules.. i tried replacing the Desitination * to NordVPN_Canada NET or Address and for USA too... and when i choose usa still doesnt work right ...and is there a better way for the NAT Blocking XBOX or is that ok... was only way i got Xbox to Ever Work with the Double NAT Moderate NAT .. and was only way to get it to OPEN
and i appolgize if i dont make sense.. I have dislexia, and learning disability.... so it sounds right in my head or i try to understand and lots of times i confuse people.. so i hope i didnt and if so ask and ill try to re write what i mean...
but i do appreciate your help... always learning
-
You use block/reject rules when you want to block traffic entering the firewall.
You cannot do that because you want to pass that traffic into the firewall, but only block it when it tries to take a certain path out.
That More link I gave covers all of this. It's for pfSense 2.2.X but it all still applies.
No idea on the Xbox or what special requirements it has. There is a specific gaming category here.
-
ok i kinda understand.. and thats why i get confused if im blocking WAN interface to a specific ip address under LAN headding why it doesnt block it i get it for the VPN
or is it because im running a VPN that the those block s (in image i grayed now) dotn workbut if i simply had no VPN and blocked it like i did that would work no need for a tag??
and here i show i tried doing this but trying to make sure that the LAN net to go through the NordVPNCanada Dest and Gatatway Canada...
or when i use the NordVPN Dest USA and GateaWay USA i trying to make it go through it.. but you see i tried net and addressand what happens it skips all that and just goes to the bottom and runs the Plain WAN internet connection
would you happen to know how to set it soo
when i use OpenVPN Canada NordVPN use the Canada GateWay
when i use OpenVPN USA NordVPN use the USA Gateway not the Canadado i need to Do a TAG? can you add mulitple Tags..
as for the Xbox one ya i tried i the only one in that forum that was trying to get VPN and WAN and XBOX to work together... no real help there as it was just Regular WAN and XBOX settings..
so i played for hours getting it to work what i did...but here is the pic... if its not possible to route the VPN to the specific Gateway then no worries ill just deal with it using the first one i guess.. its just i sometimes turn off Canada and turn on USA and vise versa...
-
One issue at a time.
-
ah ok i having an issue. i was testing the turn off vpn to see that the computer gets blocked.. it worked... i tried turning on the VPN i couldnt... it shows i get internet on the lan net after the vpns but i get no internet..
i saved the configuration and restored to earlier one from yesterday.. and internet worked...
i reloaded the saved config you helped me with.. and i have no internet.. something went a muck i cant find an error.. cant even ping google in pfsense is there a way to find out if there is a glitch or a toggle switch is blocking everything by accident
here is the rules i have saved... which i should have internet but i dont
i should be getting internet with the VPN turned off... but im not it shows data but i getting nothing
-
The only rules you have routing out to WAN_PPPOE are from Games_Consoles
I suggest starting over with a default configuration and doing one thing at a time, getting that working, then doing one more thing, getting that working, etc.
-
thats correct... Game consoles goes out the WAN PPPOE
then the 192.168.0.11 Uses VPN Tag No WAN EEEGREES
then LAN net * * * * * next is using the Default Internat WAN_PPPOE becuse VPN is downright now internet is totally disabled
even if you put the Default LAN allow lan rule to the top internet is disabled even after a reboot... so i not sure what happened in this config.. if it corrupted or something that its using the Default Internet but yet its blocking it at the same time which is the PPP0Ebut guess ill go back to yesterdays config.. which is what you saw earlier screen shots when you told me to do the Tag Egress... thats the default we started with today which was working... and after i did what you told me and i then turned off VPN no internet works.. so thats frustrating
but ill try again tommorow as i tired... i appreciate the help so far
-
Then you did not do what I said because what I said would have only impacted traffic from that single host.
-
yes i did what you said
like i said it was working When I turned off VPN disabled it the 192.168.0.11 lost internet
but trying to reactivate it... wouldnt work
and then my entire internet was lost...
as you can see i moved Lan Net to the top so it bypass's VPN you see it says its accessing internet yet nothing on the entire network has internet... its like its disabled but only thing i changed was the adding of the policy of Float and the Tag to the specific IP addresslike i said
it was working then i disabled OpenVPN Client so i could see that 192.168.0.11 lost internet... i then tried reactivating my NordVPN client wasnt able to..i now lost entire internet as it usually just skips the vpn and i uually use the WAN interface... but it isnt doing that... and i cant reconnect
but if i roll back to the day before the one i started with... VPN can log in.. i switch back to what we did its like the WAN connection is blocked on the network
i have had this kinda issue 3 times out out of the entire year since jan 2018 i noticed...
if i send the config file you able to see what its blocking?
but here is the rules
-
so here you seen i grayed out all the rules.. and i created a new rule.. you see i have internet traffic but im block no internet.. yet it shows i i should be getting internet..
as you see in the gateway.. I am connected to the internet fine as i get a gateway but i have 100 percent loss... so where in rules is it blocking 100%
-
Your PPPoE is offline. Where is the traffic supposed to go?
-
ugh ill post picture.. like i said its nto offline
its up and you see 10.11.13.49 gateway monitor is 10.11.13.49
so its up but just a sec ill get you a photo
thats why i ask where else could it be blocking? -
Post the routing table from Diagnostics > Routes.
-
if i upload the config file is there an editor for you or diagnostic program to see whats wrong?
as reboots dont help
sorry takes a bit to send back pics
as i restore the few days ago config to send you the pics but load up the config file we worked on in this topic and it just glitched or something and i wanna be able to figure it out incase it has happened again.. as its happened in 2 other times last year but all i did was format and started over... but since i have bunch of stuff setup i dont wanna format.. i wanna find out what went wrong -
could it be because i use a gaming computer motherboard and non ECC ram... and while it was doing a save it saved a corrupt setting to block the internet..
as i always hear you want ECC ram for a server is it possible .. as i was looking at 1U Server supermicro but at 1200 + just to make pfsesne... my gaming computer under 500 was cheaper way -
ok found the problem well kinda...
That Floating No WAN Egress is being applied when its not supposed to be calledand i tried scrolling up but i cant see the settings you told me but this is what i have.. ...
so even though no TAG is being called on any of the rules other then the 2 for 192.168.0.11
its like the rules are calling Tag No Wan Egress by default and not when its supposed to
-
here is that default lan settings... even though the tag is blank its still calling that floating no wan egress because if i un disable no wan egress tag under floating
internet is blocked
its like its being called hidden in the background
-
here is the one ip rule that calls the tag that should only be called when vpn is down but seems to being called whenever it wants to
-
so what i found is
if i reactivate the Floating Rule No Wan EGRESS
internet works fine..but if i Do a reboot of Pfsense.. then that No Wan Egresss gets automaticlly loaded by default then blocks internet
then when i Disable Floating Rule
i get the internet backthen if i enable it internet seems to work fine and when i set to run VPN and then choose to disable VPN and restart it.. WAN is now 100% packet loss again
so i re disabled the Floating Wan Egressit seems it loads it up like a windows service without being asked to... is there another setting to set so it doesnt do that?
maybe something i didnt check off
-
Again, my suggestion is to save a backup copy of your current config and reset to defaults and start over. I really have no idea what you put where to break this and these screen captures of irrelevant data are solving nothing.
But before you do that, just put a LEGIBLE copy of /tmp/rules.debug in a chat to me please.
Diagnostics > Command Prompt
Execute
cat /tmp/rules.debugCopy / paste.
Thanks. -
ugh
well i gave you screen shots of
-Tag No Wan Egress you told me to type
-LAN Net Default of Pfsense
-NordVPN 192.168.0.11 with TAG No Wan Egressi was showing you each break down to show you that the Tag No Wan Egreess and i didnt do anything wrong..
and was showing you that No Wan Egress Tag gets loaded automaticlly not just when its supposed tobut ugh reset defaults then i gotta do all the Static Ip renamings i have too didnt wanna reset.. i wanted to fix this why
but ok ill get you the copy just a moment.. just frustrated
-
well you cant post rules its considered spam by your spam program forum.. i attached a text file of it hope it worksrules.txt
-
i didnt un gray the floating no wan egress so i dont know if that rule will show up
-
here is rules 2.. I enabled Floating No Wan Egress and re ran that debug cat thing you told me to do... hopefully you find my error as your smarter then me at this stuff
-
so 5 min after i enabled the No Wan Egreess Tag under floating options to do the rules2 for you
i lost internet to 100 percent loss
so its still loading it some how
-
What do you have set for this:
System > Advanced, Miscellaneous, Skip rules when gateway is down
Look. This stuff is extremely complicated. You really have to know exactly what you are doing to pull this kind of policy routing off. You have multiple OpenVPN clients and you want certain LAN hosts to behave one way and certain LAN hosts to behave another.
The NO_WAN_EGRESS rules I sent will not do ANYTHING to connections that do not originate from that source host.
You are refusing my suggestion of starting over from the beginning.
You are policy routing everything from LAN to the OpenVPN gateway. is gateway monitoring enabled there? Does the system even recognize the OpenVPN is down? If not, it will continue to send the traffic out the OpenVPN.
"100 percent loss" is not a trouble description. I understand you are frustrated. More details might be necessary.
-
and sorry if the screen shots are irrevelent to the settings
as i been told i have to post screen shots of the settings i do.. as you guys arent willing to watch videos... and i got blasted last year for not posting screen shots of what i was doing..was only trying to show you the settings i set... didnt mean to make it irrvelent.. to me they were relevent as its the stuff you told me to set..
sorry about that -
It would help if you followed my instructions exactly.
Derelict about 19 hours ago
Make a rule for that specific source host above the NORDVPN rules.
Make it just like the other rule, but with a source of that host address instead of LAN net, policy routing to NORDVPN.
Add the following advanced option:
Tag: NO_WAN_EGRESS
Make a floating rule in Firewall > Rules, Floating
Action: Reject
Quick: Checked
Interface: WAN
Direction: Out
Source: Any
Destination: AnyDisplay Advanced
Tagged: NO_WAN_EGRESS
TAG on LAN
TAGGED on WANThe former SETS the tag
The latter MATCHES the tag previously set by the LAN rules. -
i get that t he No Wan Egree rule only to that
but ill make a video and prove your wrong its not doing that.. its doing it on its own cuz your not believing me..
and i didnt refuse of starting over.. i told you ok in the one reply i said i didnt wanna cuz thats alot of typing and figuring where all the settings god..
yes I got different openVPNs
so what i have is
WAN ----> Only For Game Consoles
NORDVPN USA for entire Network
NORDVPN CANADA for entire Network these 2 is when i wanna be in usa or in canada
OPENVPNSERVEr ---->> so i can Remote access my network from away from the homeand i wouldnt know if gateway monitoring enabled..
and ya the system knows when NordVPN goes down... either i get a email from my ISP my son did something bad which i told him to stop ... or my internet goes down and then im using my WAN IP address so it falls over
i only had issues because you told me i had the rules set wrong for when VPN goes down and to make sure no Internet leaking happens..
and then i find out now that the Floating rule seems to automaticlly load ...
if i disable all the rules minus that lock out rule Floating Rule No Wan Still gets loaded and 100% packet lossbut there is monitoring as there is a monitoring IP when i showed the Gateway images
but here the pics of the misc's
-
i think i found the error on floating
i put TAG NO_WAN_EGRESSnot TAGGED NO_WAN_EGRESS
guess thats the reason it automaticlly Blocks because i put NO_WAN_EGRESS under TAG
i really hate dislexia i read Tagged as Tag... ill try that
So Tag means anything on the Local Network... and TAGGED means anything going out on the internet
ill re try again thank you for being patient
-
nope didnt work
having TAG No Wan EGress for the 192.168.0.11 Under NordVPN one
and having TAGGED No Wan Eggress under Floating
just lets the 192.168.0.11 get WAN internet instead of blocked..
shouldnt the Rule be also set to TAGGED not TAG?
