Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    FW rule misrouting traffic with terminated OpenVPN

    OpenVPN
    2
    5
    492
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      thaddeusf
      last edited by

      Hello,
      I’ve created two ExpressVPN interfaces that successfully connect and work:
      8ff2dbe3-9ef8-4325-8800-ea8f6a07b25c-image.png

      I’ve created firewall aliases to two internal (192.168.x.y) systems:
      a39ab643-d55b-4f9f-b927-928fb6c0ddfb-image.png

      I’ve created firewall rules to assign one alias per OpenVPN interface. I’ve copied the default IPv4 and IPv6 rules to block any traffic from the two aliases except the ExpressVPN interfaces:
      491979a9-8000-4291-82b6-b61c9820f6e5-image.png

      I’ve had now had multiple incidents where OpenVPN seems to crash and the daemon fails to restart. Since the OpenVPN service is down, I would expect all traffic from the two internal systems would be blocked. However, the two systems are being sent to the default network.

      When moving my block rules to above the OpenVPN rules, the clients are blocked as expected.

      Can anyone explain how this is happening? Any suggestions in creating rules that prevent this scenario?
      Thanks

      T 1 Reply Last reply Reply Quote 0
      • T
        thaddeusf @thaddeusf
        last edited by

        @thaddeusf

        Additional information.

        Well, I'm at a loss. If I disable the OakTree to ExpressVPN rule in the firewall, the client has a couple of ping stallouts and then just keeps on pinging as if nothing changed. Tracing shows it is still using the ExpressVPN route.

        At this point, if feels like I have no idea how pfsense firewall rules work. Any suggestion welcome...

        G 1 Reply Last reply Reply Quote 0
        • G
          Griffo @thaddeusf
          last edited by

          @thaddeusf As to the last point, did you reset states?

          But mostly my question is, are you trying to configure an "kill switch" so that no traffic leaks ?

          If so, there's another way. In your "gateway" rules, mark the traffic with a tag.

          Something like "No_WAN_Access"

          On the floating rules tab, create a rule

          Action: Block
          Interfaces: All
          Address Family: IPv6 & IPv4

          Source: Invert Match -> THis firewall
          Destination: Any
          Tagged: No_WAN_Access

          Any traffic that matches that tag that "leaks" from the VPN will be blocked.

          T 1 Reply Last reply Reply Quote 0
          • T
            thaddeusf
            last edited by

            Thanks Griffo. Resetting states is at lease making my test consistent.

            I think the problem might be:
            System > advanced > Miscellaneous > Gateway Monitoring
            Skip rules when gateway is down.

            It appears this needs to be checked.

            Thoughts?

            1 Reply Last reply Reply Quote 0
            • T
              thaddeusf @Griffo
              last edited by

              @griffo Yes about the prevention of traffic leaks.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.