Want to Block 1IP from using Internet when VPN goes down



  • yes i did what you said
    like i said it was working When I turned off VPN disabled it the 192.168.0.11 lost internet
    but trying to reactivate it... wouldnt work
    and then my entire internet was lost...
    as you can see i moved Lan Net to the top so it bypass's VPN you see it says its accessing internet yet nothing on the entire network has internet... its like its disabled but only thing i changed was the adding of the policy of Float and the Tag to the specific IP address

    like i said
    it was working then i disabled OpenVPN Client so i could see that 192.168.0.11 lost internet... i then tried reactivating my NordVPN client wasnt able to..

    i now lost entire internet as it usually just skips the vpn and i uually use the WAN interface... but it isnt doing that... and i cant reconnect

    but if i roll back to the day before the one i started with... VPN can log in.. i switch back to what we did its like the WAN connection is blocked on the network
    i have had this kinda issue 3 times out out of the entire year since jan 2018 i noticed...
    if i send the config file you able to see what its blocking?
    but here is the rules

    no internet2.JPG no internet1.JPG



  • so here you seen i grayed out all the rules.. and i created a new rule.. you see i have internet traffic but im block no internet.. yet it shows i i should be getting internet..

    as you see in the gateway.. I am connected to the internet fine as i get a gateway but i have 100 percent loss... so where in rules is it blocking 100%
    no internet4.JPG no internet3.JPG


  • LAYER 8 Netgate

    Your PPPoE is offline. Where is the traffic supposed to go?



  • ugh ill post picture.. like i said its nto offline
    its up and you see 10.11.13.49 gateway monitor is 10.11.13.49
    so its up but just a sec ill get you a photo
    thats why i ask where else could it be blocking?


  • LAYER 8 Netgate

    Post the routing table from Diagnostics > Routes.



  • if i upload the config file is there an editor for you or diagnostic program to see whats wrong?
    as reboots dont help
    no internet7.JPG no internet6.JPG no internet5.JPG

    sorry takes a bit to send back pics
    as i restore the few days ago config to send you the pics but load up the config file we worked on in this topic and it just glitched or something and i wanna be able to figure it out incase it has happened again.. as its happened in 2 other times last year but all i did was format and started over... but since i have bunch of stuff setup i dont wanna format.. i wanna find out what went wrong



  • could it be because i use a gaming computer motherboard and non ECC ram... and while it was doing a save it saved a corrupt setting to block the internet..
    as i always hear you want ECC ram for a server is it possible .. as i was looking at 1U Server supermicro but at 1200 + just to make pfsesne... my gaming computer under 500 was cheaper way



  • ok found the problem well kinda...
    That Floating No WAN Egress is being applied when its not supposed to be called

    and i tried scrolling up but i cant see the settings you told me but this is what i have.. ...

    so even though no TAG is being called on any of the rules other then the 2 for 192.168.0.11

    its like the rules are calling Tag No Wan Egress by default and not when its supposed to

    floating 3.JPG floating 2.JPG Floating 1.JPG



  • here is that default lan settings... even though the tag is blank its still calling that floating no wan egress because if i un disable no wan egress tag under floating
    internet is blocked
    its like its being called hidden in the background
    lannet1.JPG
    lannet2.JPG
    lannet3.JPG



  • here is the one ip rule that calls the tag that should only be called when vpn is down but seems to being called whenever it wants to
    block1.JPG



  • so what i found is
    if i reactivate the Floating Rule No Wan EGRESS
    internet works fine..

    but if i Do a reboot of Pfsense.. then that No Wan Egresss gets automaticlly loaded by default then blocks internet

    then when i Disable Floating Rule
    i get the internet back

    then if i enable it internet seems to work fine and when i set to run VPN and then choose to disable VPN and restart it.. WAN is now 100% packet loss again
    so i re disabled the Floating Wan Egress

    it seems it loads it up like a windows service without being asked to... is there another setting to set so it doesnt do that?

    maybe something i didnt check off


  • LAYER 8 Netgate

    Again, my suggestion is to save a backup copy of your current config and reset to defaults and start over. I really have no idea what you put where to break this and these screen captures of irrelevant data are solving nothing.

    But before you do that, just put a LEGIBLE copy of /tmp/rules.debug in a chat to me please.

    Diagnostics > Command Prompt

    Execute cat /tmp/rules.debug

    Copy / paste.
    Thanks.



  • ugh
    well i gave you screen shots of
    -Tag No Wan Egress you told me to type
    -LAN Net Default of Pfsense
    -NordVPN 192.168.0.11 with TAG No Wan Egress

    i was showing you each break down to show you that the Tag No Wan Egreess and i didnt do anything wrong..
    and was showing you that No Wan Egress Tag gets loaded automaticlly not just when its supposed to

    but ugh reset defaults then i gotta do all the Static Ip renamings i have too didnt wanna reset.. i wanted to fix this why

    but ok ill get you the copy just a moment.. just frustrated



  • well you cant post rules its considered spam by your spam program forum.. i attached a text file of it hope it worksrules.txt



  • i didnt un gray the floating no wan egress so i dont know if that rule will show up



  • here is rules 2.. I enabled Floating No Wan Egress and re ran that debug cat thing you told me to do... hopefully you find my error as your smarter then me at this stuff

    rules2.txt



  • so 5 min after i enabled the No Wan Egreess Tag under floating options to do the rules2 for you

    i lost internet to 100 percent loss

    so its still loading it some how


  • LAYER 8 Netgate

    What do you have set for this:

    System > Advanced, Miscellaneous, Skip rules when gateway is down

    Look. This stuff is extremely complicated. You really have to know exactly what you are doing to pull this kind of policy routing off. You have multiple OpenVPN clients and you want certain LAN hosts to behave one way and certain LAN hosts to behave another.

    The NO_WAN_EGRESS rules I sent will not do ANYTHING to connections that do not originate from that source host.

    You are refusing my suggestion of starting over from the beginning.

    You are policy routing everything from LAN to the OpenVPN gateway. is gateway monitoring enabled there? Does the system even recognize the OpenVPN is down? If not, it will continue to send the traffic out the OpenVPN.

    "100 percent loss" is not a trouble description. I understand you are frustrated. More details might be necessary.



  • and sorry if the screen shots are irrevelent to the settings
    as i been told i have to post screen shots of the settings i do.. as you guys arent willing to watch videos... and i got blasted last year for not posting screen shots of what i was doing..

    was only trying to show you the settings i set... didnt mean to make it irrvelent.. to me they were relevent as its the stuff you told me to set..
    sorry about that


  • LAYER 8 Netgate

    It would help if you followed my instructions exactly.

    Derelict about 19 hours ago

    Make a rule for that specific source host above the NORDVPN rules.

    Make it just like the other rule, but with a source of that host address instead of LAN net, policy routing to NORDVPN.

    Add the following advanced option:

    Tag: NO_WAN_EGRESS

    Make a floating rule in Firewall > Rules, Floating

    Action: Reject
    Quick: Checked
    Interface: WAN
    Direction: Out
    Source: Any
    Destination: Any

    Display Advanced

    Tagged: NO_WAN_EGRESS

    TAG on LAN
    TAGGED on WAN

    The former SETS the tag
    The latter MATCHES the tag previously set by the LAN rules.



  • i get that t he No Wan Egree rule only to that

    but ill make a video and prove your wrong its not doing that.. its doing it on its own cuz your not believing me..

    and i didnt refuse of starting over.. i told you ok in the one reply i said i didnt wanna cuz thats alot of typing and figuring where all the settings god..

    yes I got different openVPNs

    so what i have is
    WAN ----> Only For Game Consoles
    NORDVPN USA for entire Network
    NORDVPN CANADA for entire Network these 2 is when i wanna be in usa or in canada
    OPENVPNSERVEr ---->> so i can Remote access my network from away from the home

    and i wouldnt know if gateway monitoring enabled..

    and ya the system knows when NordVPN goes down... either i get a email from my ISP my son did something bad which i told him to stop ... or my internet goes down and then im using my WAN IP address so it falls over

    i only had issues because you told me i had the rules set wrong for when VPN goes down and to make sure no Internet leaking happens..

    and then i find out now that the Floating rule seems to automaticlly load ...
    if i disable all the rules minus that lock out rule Floating Rule No Wan Still gets loaded and 100% packet loss

    but there is monitoring as there is a monitoring IP when i showed the Gateway images

    but here the pics of the misc'smonitor3.JPG monitor2.JPG monitor1.JPG



  • i think i found the error on floating
    i put TAG NO_WAN_EGRESS

    not TAGGED NO_WAN_EGRESS

    guess thats the reason it automaticlly Blocks because i put NO_WAN_EGRESS under TAG

    i really hate dislexia i read Tagged as Tag... ill try that

    So Tag means anything on the Local Network... and TAGGED means anything going out on the internet

    ill re try again thank you for being patient



  • nope didnt work

    having TAG No Wan EGress for the 192.168.0.11 Under NordVPN one

    and having TAGGED No Wan Eggress under Floating

    just lets the 192.168.0.11 get WAN internet instead of blocked..

    shouldnt the Rule be also set to TAGGED not TAG?


  • LAYER 8 Netgate

    No.

    TAG sets the mark. You set the mark on traffic from 192.168.0.11 when it arrives on the firewall using the LAN rule.

    TAGGED matches the traffic that has that mark set so you are rejecting any traffic trying to go out WAN with that tag already set. It will only be set on traffic sourced from 192.168.0.11 because that's the only source address that matches the rule that sets the tag.

    You must have done it wrong again or it would be working.



  • NORDVPN 192.168.011 TAG No WAN EGREE
    nordvpn1.JPG
    float rule1.JPG

    FLOATING TAGGED: NO WAN EGREE
    floatA.JPG
    floatb.JPG

    im going to delete the rule and the float and re type it in

    i frustrated i getting frustrated yes understand its not easy but stupid dislexia is kicking me too and i like pfsense better then an asus router

    i appreciate the help i going to type it up again and see what happens in 30 min i need a break... wish i was in the IT field id know this program better then just only adjust when i find there a problem once a month or so.. set it and forget it kinda thing

    thank you for being patient with me i really appreciate it


  • LAYER 8 Netgate

    Don't touch anything.

    Just post /tmp/rules.debug

    That tells everyone everything they need to know about your rule sets.



  • Hi.
    Go to System -> Advanced -> Miscellaneous
    Scroll down to: Gateway Monitoring
    Make sure it look like this.
    b206be68-8338-434d-9061-8248c772cf02-image.png



  • so for the gate monitoring yes my 2 are also unchecked

    as for the Floating its working now.. i had disabled them then just re typed them up and the float
    and it worked... also found i had to add a
    another No WAN Egress for the LAN.NET when a VPN isnt enabled when i was testing it by turning it off
    so this is working now.. doesnt help my dislexia i read like TAG as TAGGED so thats all working... i dont dare ask about how do i route the USA VPN to the USA one in the Rules and the CANADA VPN to the CAnada one.. instead of both going to the first rule... as i dont wanna frustrate you more with my questions..

    i played with it i didnt wanna annoy you more with questions i stepped away from it a bit then re looked at it fresh eyes for setting that floating etc

    so this is working now in this order... i wont trouble you with my other question i jsut mentioned because i dont want you mad at me... but here is a pic of rules its working so i not going to touch it... it works when i shut off the vpn or if it goes down
    i appreciate your patience with me
    rules1.JPG


  • LAYER 8 Netgate

    If you don't want traffic from 192.168.0.11 to go out WAN at all, why are you policy routing it out WAN?



  • if your talking about from the picture above the 2nd from the bottom
    i dont... but if i dont put that rule in there... and i turn off both VPN's
    the rules skip the 2 rules below Game Consoles and goes straight to the last Line..

    so i put rule just above it... and its TAG No WAN EGRESS so it blocks using WAN



  • figured that was better then saying Block 192.168.0.11 * * * in the rules
    unless thats better then the TAG i just figured it was a better block if not ill change it



  • is this more proper thenblock wan.JPG



  • @Derelict
    I have 1 more question if you might know..
    the no_wan_egreess works as long as my vpn I don't check the box "Don't Pass Routes"
    if I enable it... The IP Address I have Tag NO WAN EGRESS is automatically blocked yet should be using the VPN

    but I notice I need to check Don't Pass Routes to get my XBOX to work bypass VPN

    do you know how to get get the rule to work for the VPN and TAG No Wan Egress when you check "Don't Pass Routes"

    and should I be using that check box or not... whats the difference I tried googling info but I didn't find info
    if you have a link that explains the 2 be good too

    but I figured I ask you about that since your very smart at this stuff



  • so having the check mark Dont Pass Routes... still leaks dns yet i dont see it...

    i get email from my isp i done suspicious things but i didnt
    i run www.dnsleaktest.com on the 192.168.0.11 and it shows 1 server my NordVPN
    yet it must be leaking

    is there another program that runs on windows that securly checks this stuff?
    as this No Wan Egress isnt working
    least it seems to work only when "DO Not Pull Routes" is not Checked.
    when its checked it seems to leak or not work right

    is there a way to test this and i read some articles you want Do Not Pull Routes other times you do .. how do you know when


  • LAYER 8 Netgate

    I'm not sure that people appreciate how complicated what you are trying to do is.



  • sorry then ill figure out myself

    didnt think it was complicated for you guys just for me
    cuz i guess it works fine if Do not pull routes... yet XBOX doesnt work for OPen Nat
    and when i do check off pull routes No WAN Gress does not kick in instantly like it does when "do not pull routes " is not checked... and Xbox Works Open Nat

    very sorry for troubling you guys then.. i wont ask again

    have a good weekend


  • LAYER 8 Netgate

    It's not complicated for me. It would just take me three hours I don't have to explain it to you.

    You need to understand:

    • Policy routing and what it is and is not
    • The routing table and what it is and is not
    • What Don't pull routes actually does with your chosen VPN provider
    • How DNS actually works
    • How connections originating from the firewall itself apply in all of the above
    • How tagging and matching tagged in pf works

    I suggest watching https://www.youtube.com/watch?v=lp3mtR4j3Lw


  • LAYER 8 Global Moderator

    Think you forget the 0 on your 3 there Derelict... Your 4 days in already.. ;)

    This is clearly simple facebook sort of post -- suggest you get your help over there since you don't seem to want to take Derelicts ;) Sure they help you out in couple of mins..


Log in to reply