Prevent traffic leaving default gateway when rule gateway is down

Woodsomeister

Hello,

i would like to force all internet traffic (destination !192.168.0.0/16,!172.16.0.0/12,10.0.0.0/8) through an OpenVPN gateway. For this purpose I use the policy based routing on rule basis and have set the appropriate OpenVPN gateway if the rule matches.

The problem I have now is that if the OpenVPN connection is aborted or briefly unavailable, the traffic of the rule is sent over the default gateway (i.e. WAN). This must not happen. Is there any way I can prevent this?

I've already tried to write an outgoing floating rule which should block everything on WAN with the source address range (10.10.10.0/24) from which normally everything should be sent over the OpenVPN gateway. But this does not work (I guess because of NAT on the WAN interface).

What else can I try?

heper

try this: https://docs.netgate.com/pfsense/en/latest/book/config/advanced-firewall-nat.html#disable-negate-rules

Woodsomeister

@heper Unfortunately this does not change the forwarding via the default gateway if the OpenVPN tunnel is not established.

heper

have you reloaded the ruleset after making the change?
if you post your rule-set then someone might have an insight

NogBadTheBad

Search the forum for NO_WAN_EGRESS

Bob.Dig

VPN-Killswitch

Woodsomeister

@Bob-Dig This solution worked also for me. Thank you!