Cannot override pass out route-to rule



  • I want to filter traffic so when the VPN is down, none goes out. However, I cannot even stop traffic from going out when the VPN is on. Rules:
    pass out inet all flags S/SA keep state allow-opts label "let out anything IPv4 from firewall host itself"
    pass out inet6 all flags S/SA keep state allow-opts label "let out anything IPv6 from firewall host itself"
    pass out route-to (em0 192.168.1.254) inet from 192.168.1.82 to ! 192.168.1.0/24 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
    pass out route-to (ovpnc6 10.8.8.1) inet from 10.8.8.8 to ! 10.8.8.0/24 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
    pass in quick on em1 proto tcp from any to (em1) port = http flags S/SA keep state label "anti-lockout rule"
    pass in quick on em1 proto tcp from any to (em1) port = ssh flags S/SA keep state label "anti-lockout rule"
    anchor "userrules/*" all
    block drop quick on em0 inet all label "USER_RULE: No Non-VPN WAN Egress"
    block drop quick on em0 inet6 all label "USER_RULE: No Non-VPN WAN Egress"

    This should shut down all outbound traffic on the WAN (inbound also in this case). Yes traffic flows through the VPN.
    What am I doing wrong?



  • @wtw TYPO: Yet traffic flows through the VPN.



  • @wtw Regarding the Firewall settings listed. The last 2 are for a Floating block rule with quick apply for any source or destination IP and protocol for both in and out bound on the WAN. This should block everything, right? It does not block VPN traffic. I am accessing this website with that rule being active on the router right now. I cannot determine that it is blocking any traffic.
    Any suggestions or insight will be appreciated. Thanks.



  • Restarted the router (pfSense) and the rule started working (without other changes).
    Now have Firewall Rules that do not allow outbound traffic without the VPN running, with the exception of the DNSSEC provider IP addresses (pinholes; port 853 only) and the VPN server URL (pinhole; port 1194 only). Can restart pfSense and the VPN comes up running. Turn off the VPN, no external traffic. Yea!

    The problem appears to have been a long running pfSense instance.

    The moral of this story is: When in doubt, reboot!

    How do I mark this resolved?


Log in to reply