Want to Block 1IP from using Internet when VPN goes down
yes i did what you said
like i said it was working When I turned off VPN disabled it the 192.168.0.11 lost internet
but trying to reactivate it... wouldnt work
and then my entire internet was lost...
as you can see i moved Lan Net to the top so it bypass's VPN you see it says its accessing internet yet nothing on the entire network has internet... its like its disabled but only thing i changed was the adding of the policy of Float and the Tag to the specific IP address
like i said
it was working then i disabled OpenVPN Client so i could see that 192.168.0.11 lost internet... i then tried reactivating my NordVPN client wasnt able to..
i now lost entire internet as it usually just skips the vpn and i uually use the WAN interface... but it isnt doing that... and i cant reconnect
but if i roll back to the day before the one i started with... VPN can log in.. i switch back to what we did its like the WAN connection is blocked on the network
i have had this kinda issue 3 times out out of the entire year since jan 2018 i noticed...
if i send the config file you able to see what its blocking?
but here is the rules
so here you seen i grayed out all the rules.. and i created a new rule.. you see i have internet traffic but im block no internet.. yet it shows i i should be getting internet..
as you see in the gateway.. I am connected to the internet fine as i get a gateway but i have 100 percent loss... so where in rules is it blocking 100%
Your PPPoE is offline. Where is the traffic supposed to go?
ugh ill post picture.. like i said its nto offline
its up and you see 10.11.13.49 gateway monitor is 10.11.13.49
so its up but just a sec ill get you a photo
thats why i ask where else could it be blocking?
Post the routing table from Diagnostics > Routes.
if i upload the config file is there an editor for you or diagnostic program to see whats wrong?
as reboots dont help
sorry takes a bit to send back pics
as i restore the few days ago config to send you the pics but load up the config file we worked on in this topic and it just glitched or something and i wanna be able to figure it out incase it has happened again.. as its happened in 2 other times last year but all i did was format and started over... but since i have bunch of stuff setup i dont wanna format.. i wanna find out what went wrong
could it be because i use a gaming computer motherboard and non ECC ram... and while it was doing a save it saved a corrupt setting to block the internet..
as i always hear you want ECC ram for a server is it possible .. as i was looking at 1U Server supermicro but at 1200 + just to make pfsesne... my gaming computer under 500 was cheaper way
ok found the problem well kinda...
That Floating No WAN Egress is being applied when its not supposed to be called
and i tried scrolling up but i cant see the settings you told me but this is what i have.. ...
so even though no TAG is being called on any of the rules other then the 2 for 192.168.0.11
its like the rules are calling Tag No Wan Egress by default and not when its supposed to
here is that default lan settings... even though the tag is blank its still calling that floating no wan egress because if i un disable no wan egress tag under floating
internet is blocked
its like its being called hidden in the background
here is the one ip rule that calls the tag that should only be called when vpn is down but seems to being called whenever it wants to
so what i found is
if i reactivate the Floating Rule No Wan EGRESS
internet works fine..
but if i Do a reboot of Pfsense.. then that No Wan Egresss gets automaticlly loaded by default then blocks internet
then when i Disable Floating Rule
i get the internet back
then if i enable it internet seems to work fine and when i set to run VPN and then choose to disable VPN and restart it.. WAN is now 100% packet loss again
so i re disabled the Floating Wan Egress
it seems it loads it up like a windows service without being asked to... is there another setting to set so it doesnt do that?
maybe something i didnt check off
Again, my suggestion is to save a backup copy of your current config and reset to defaults and start over. I really have no idea what you put where to break this and these screen captures of irrelevant data are solving nothing.
But before you do that, just put a LEGIBLE copy of /tmp/rules.debug in a chat to me please.
Diagnostics > Command Prompt
Copy / paste.
well i gave you screen shots of
-Tag No Wan Egress you told me to type
-LAN Net Default of Pfsense
-NordVPN 192.168.0.11 with TAG No Wan Egress
i was showing you each break down to show you that the Tag No Wan Egreess and i didnt do anything wrong..
and was showing you that No Wan Egress Tag gets loaded automaticlly not just when its supposed to
but ugh reset defaults then i gotta do all the Static Ip renamings i have too didnt wanna reset.. i wanted to fix this why
but ok ill get you the copy just a moment.. just frustrated
well you cant post rules its considered spam by your spam program forum.. i attached a text file of it hope it worksrules.txt
i didnt un gray the floating no wan egress so i dont know if that rule will show up
here is rules 2.. I enabled Floating No Wan Egress and re ran that debug cat thing you told me to do... hopefully you find my error as your smarter then me at this stuff
so 5 min after i enabled the No Wan Egreess Tag under floating options to do the rules2 for you
i lost internet to 100 percent loss
so its still loading it some how
What do you have set for this:
System > Advanced, Miscellaneous, Skip rules when gateway is down
Look. This stuff is extremely complicated. You really have to know exactly what you are doing to pull this kind of policy routing off. You have multiple OpenVPN clients and you want certain LAN hosts to behave one way and certain LAN hosts to behave another.
The NO_WAN_EGRESS rules I sent will not do ANYTHING to connections that do not originate from that source host.
You are refusing my suggestion of starting over from the beginning.
You are policy routing everything from LAN to the OpenVPN gateway. is gateway monitoring enabled there? Does the system even recognize the OpenVPN is down? If not, it will continue to send the traffic out the OpenVPN.
"100 percent loss" is not a trouble description. I understand you are frustrated. More details might be necessary.
and sorry if the screen shots are irrevelent to the settings
as i been told i have to post screen shots of the settings i do.. as you guys arent willing to watch videos... and i got blasted last year for not posting screen shots of what i was doing..
was only trying to show you the settings i set... didnt mean to make it irrvelent.. to me they were relevent as its the stuff you told me to set..
sorry about that
It would help if you followed my instructions exactly.
Derelict about 19 hours ago
Make a rule for that specific source host above the NORDVPN rules.
Make it just like the other rule, but with a source of that host address instead of LAN net, policy routing to NORDVPN.
Add the following advanced option:
Make a floating rule in Firewall > Rules, Floating
TAG on LAN
TAGGED on WAN
The former SETS the tag
The latter MATCHES the tag previously set by the LAN rules.
i get that t he No Wan Egree rule only to that
but ill make a video and prove your wrong its not doing that.. its doing it on its own cuz your not believing me..
and i didnt refuse of starting over.. i told you ok in the one reply i said i didnt wanna cuz thats alot of typing and figuring where all the settings god..
yes I got different openVPNs
so what i have is
WAN ----> Only For Game Consoles
NORDVPN USA for entire Network
NORDVPN CANADA for entire Network these 2 is when i wanna be in usa or in canada
OPENVPNSERVEr ---->> so i can Remote access my network from away from the home
and i wouldnt know if gateway monitoring enabled..
and ya the system knows when NordVPN goes down... either i get a email from my ISP my son did something bad which i told him to stop ... or my internet goes down and then im using my WAN IP address so it falls over
i only had issues because you told me i had the rules set wrong for when VPN goes down and to make sure no Internet leaking happens..
and then i find out now that the Floating rule seems to automaticlly load ...
if i disable all the rules minus that lock out rule Floating Rule No Wan Still gets loaded and 100% packet loss
but there is monitoring as there is a monitoring IP when i showed the Gateway images
but here the pics of the misc's
i think i found the error on floating
i put TAG NO_WAN_EGRESS
not TAGGED NO_WAN_EGRESS
guess thats the reason it automaticlly Blocks because i put NO_WAN_EGRESS under TAG
i really hate dislexia i read Tagged as Tag... ill try that
So Tag means anything on the Local Network... and TAGGED means anything going out on the internet
ill re try again thank you for being patient
nope didnt work
having TAG No Wan EGress for the 192.168.0.11 Under NordVPN one
and having TAGGED No Wan Eggress under Floating
just lets the 192.168.0.11 get WAN internet instead of blocked..
shouldnt the Rule be also set to TAGGED not TAG?
TAG sets the mark. You set the mark on traffic from 192.168.0.11 when it arrives on the firewall using the LAN rule.
TAGGED matches the traffic that has that mark set so you are rejecting any traffic trying to go out WAN with that tag already set. It will only be set on traffic sourced from 192.168.0.11 because that's the only source address that matches the rule that sets the tag.
You must have done it wrong again or it would be working.
NORDVPN 192.168.011 TAG No WAN EGREE
FLOATING TAGGED: NO WAN EGREE
im going to delete the rule and the float and re type it in
i frustrated i getting frustrated yes understand its not easy but stupid dislexia is kicking me too and i like pfsense better then an asus router
i appreciate the help i going to type it up again and see what happens in 30 min i need a break... wish i was in the IT field id know this program better then just only adjust when i find there a problem once a month or so.. set it and forget it kinda thing
thank you for being patient with me i really appreciate it
Don't touch anything.
Just post /tmp/rules.debug
That tells everyone everything they need to know about your rule sets.
Go to System -> Advanced -> Miscellaneous
Scroll down to: Gateway Monitoring
Make sure it look like this.
so for the gate monitoring yes my 2 are also unchecked
as for the Floating its working now.. i had disabled them then just re typed them up and the float
and it worked... also found i had to add a
another No WAN Egress for the LAN.NET when a VPN isnt enabled when i was testing it by turning it off
so this is working now.. doesnt help my dislexia i read like TAG as TAGGED so thats all working... i dont dare ask about how do i route the USA VPN to the USA one in the Rules and the CANADA VPN to the CAnada one.. instead of both going to the first rule... as i dont wanna frustrate you more with my questions..
i played with it i didnt wanna annoy you more with questions i stepped away from it a bit then re looked at it fresh eyes for setting that floating etc
so this is working now in this order... i wont trouble you with my other question i jsut mentioned because i dont want you mad at me... but here is a pic of rules its working so i not going to touch it... it works when i shut off the vpn or if it goes down
i appreciate your patience with me
If you don't want traffic from 192.168.0.11 to go out WAN at all, why are you policy routing it out WAN?
if your talking about from the picture above the 2nd from the bottom
i dont... but if i dont put that rule in there... and i turn off both VPN's
the rules skip the 2 rules below Game Consoles and goes straight to the last Line..
so i put rule just above it... and its TAG No WAN EGRESS so it blocks using WAN
figured that was better then saying Block 192.168.0.11 * * * in the rules
unless thats better then the TAG i just figured it was a better block if not ill change it
is this more proper then
I have 1 more question if you might know..
the no_wan_egreess works as long as my vpn I don't check the box "Don't Pass Routes"
if I enable it... The IP Address I have Tag NO WAN EGRESS is automatically blocked yet should be using the VPN
but I notice I need to check Don't Pass Routes to get my XBOX to work bypass VPN
do you know how to get get the rule to work for the VPN and TAG No Wan Egress when you check "Don't Pass Routes"
and should I be using that check box or not... whats the difference I tried googling info but I didn't find info
if you have a link that explains the 2 be good too
but I figured I ask you about that since your very smart at this stuff
so having the check mark Dont Pass Routes... still leaks dns yet i dont see it...
i get email from my isp i done suspicious things but i didnt
i run www.dnsleaktest.com on the 192.168.0.11 and it shows 1 server my NordVPN
yet it must be leaking
is there another program that runs on windows that securly checks this stuff?
as this No Wan Egress isnt working
least it seems to work only when "DO Not Pull Routes" is not Checked.
when its checked it seems to leak or not work right
is there a way to test this and i read some articles you want Do Not Pull Routes other times you do .. how do you know when
I'm not sure that people appreciate how complicated what you are trying to do is.
sorry then ill figure out myself
didnt think it was complicated for you guys just for me
cuz i guess it works fine if Do not pull routes... yet XBOX doesnt work for OPen Nat
and when i do check off pull routes No WAN Gress does not kick in instantly like it does when "do not pull routes " is not checked... and Xbox Works Open Nat
very sorry for troubling you guys then.. i wont ask again
have a good weekend
It's not complicated for me. It would just take me three hours I don't have to explain it to you.
You need to understand:
- Policy routing and what it is and is not
- The routing table and what it is and is not
- What Don't pull routes actually does with your chosen VPN provider
- How DNS actually works
- How connections originating from the firewall itself apply in all of the above
- How tagging and matching tagged in pf works
I suggest watching https://www.youtube.com/watch?v=lp3mtR4j3Lw
Think you forget the 0 on your 3 there Derelict... Your 4 days in already.. ;)
This is clearly simple facebook sort of post -- suggest you get your help over there since you don't seem to want to take Derelicts ;) Sure they help you out in couple of mins..