Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    FW rule misrouting traffic with terminated OpenVPN

    OpenVPN
    2
    5
    97
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      thaddeusf last edited by

      Hello,
      I’ve created two ExpressVPN interfaces that successfully connect and work:
      8ff2dbe3-9ef8-4325-8800-ea8f6a07b25c-image.png

      I’ve created firewall aliases to two internal (192.168.x.y) systems:
      a39ab643-d55b-4f9f-b927-928fb6c0ddfb-image.png

      I’ve created firewall rules to assign one alias per OpenVPN interface. I’ve copied the default IPv4 and IPv6 rules to block any traffic from the two aliases except the ExpressVPN interfaces:
      491979a9-8000-4291-82b6-b61c9820f6e5-image.png

      I’ve had now had multiple incidents where OpenVPN seems to crash and the daemon fails to restart. Since the OpenVPN service is down, I would expect all traffic from the two internal systems would be blocked. However, the two systems are being sent to the default network.

      When moving my block rules to above the OpenVPN rules, the clients are blocked as expected.

      Can anyone explain how this is happening? Any suggestions in creating rules that prevent this scenario?
      Thanks

      T 1 Reply Last reply Reply Quote 0
      • T
        thaddeusf @thaddeusf last edited by

        @thaddeusf

        Additional information.

        Well, I'm at a loss. If I disable the OakTree to ExpressVPN rule in the firewall, the client has a couple of ping stallouts and then just keeps on pinging as if nothing changed. Tracing shows it is still using the ExpressVPN route.

        At this point, if feels like I have no idea how pfsense firewall rules work. Any suggestion welcome...

        G 1 Reply Last reply Reply Quote 0
        • G
          Griffo @thaddeusf last edited by

          @thaddeusf As to the last point, did you reset states?

          But mostly my question is, are you trying to configure an "kill switch" so that no traffic leaks ?

          If so, there's another way. In your "gateway" rules, mark the traffic with a tag.

          Something like "No_WAN_Access"

          On the floating rules tab, create a rule

          Action: Block
          Interfaces: All
          Address Family: IPv6 & IPv4

          Source: Invert Match -> THis firewall
          Destination: Any
          Tagged: No_WAN_Access

          Any traffic that matches that tag that "leaks" from the VPN will be blocked.

          T 1 Reply Last reply Reply Quote 0
          • T
            thaddeusf last edited by

            Thanks Griffo. Resetting states is at lease making my test consistent.

            I think the problem might be:
            System > advanced > Miscellaneous > Gateway Monitoring
            Skip rules when gateway is down.

            It appears this needs to be checked.

            Thoughts?

            1 Reply Last reply Reply Quote 0
            • T
              thaddeusf @Griffo last edited by

              @griffo Yes about the prevention of traffic leaks.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post

              Products

              • Platform Overview
              • TNSR
              • pfSense Plus
              • Appliances

              Services

              • Training
              • Professional Services

              Support

              • Subscription Plans
              • Contact Support
              • Product Lifecycle
              • Documentation

              News

              • Media Coverage
              • Press
              • Events

              Resources

              • Blog
              • FAQ
              • Find a Partner
              • Resource Library
              • Security Information

              Company

              • About Us
              • Careers
              • Partners
              • Contact Us
              • Legal
              Our Mission

              We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

              Subscribe to our Newsletter

              Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

              © 2021 Rubicon Communications, LLC | Privacy Policy