Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Kill switch

    Scheduled Pinned Locked Moved General pfSense Questions
    7 Posts 2 Posters 874 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      lcbbcl
      last edited by

      Hello, i need some help understanding why my setup for kill switch is not working.
      All the resources i found are talking about creating a floating rule with tag.
      One station i need to use always my wg connection.
      I made a lan rule only with that ip , i select the Wg gateway and i Tag packets.
      Also i made a floating rule rejecting connection to Wan based on the tag, but for some reason if my wireguard go down after few seconds i will get out using my wan gateway.
      Lan
      LAN.png
      Floating
      Floating.png
      Thank you.

      M 1 Reply Last reply Reply Quote 0
      • M
        mcury @lcbbcl
        last edited by mcury

        Try like this:

        LAN:
        1st rule: allow VPS to any - VPN gateway
        2nd rule: allow VPN to any - WAN_PPPOE or default if this is the default gateway - tag noegress

        Floating rule:
        Reject: Interface WAN_PPPOE - Quick - Direction out - tagged noegress

        dead on arrival, nowhere to be found.

        L 1 Reply Last reply Reply Quote 0
        • L
          lcbbcl @mcury
          last edited by

          @mcury said in Kill switch:

          Try like this:

          LAN:
          1st rule: allow VPS to any - VPN gateway
          2nd rule: allow VPN to any - WAN_PPPOE or default if this is the default gateway - tag noegress

          Floating rule:
          Reject: Interface WAN_PPPOE - Quick - Direction out - tagged noegress

          Thank you for your answer, but i found the problem in the next 5 min after i made the post.
          On the Lan rule i set Tag and should be Tagged and on the floating i set Tagged and should be Tag.

          M 1 Reply Last reply Reply Quote 0
          • M
            mcury @lcbbcl
            last edited by

            @lcbbcl said in Kill switch:

            On the Lan rule i set Tag and should be Tagged and on the floating i set Tagged and should be Tag.

            You are welcome, but strange, you should tag it, then use the 'tagged' to match..

            https://docs.netgate.com/pfsense/en/latest/firewall/floating-rules.html#firewall-floating-marking-matching

            c96627a2-6c88-4b4d-8420-a19144f95f30-image.png

            dead on arrival, nowhere to be found.

            L 1 Reply Last reply Reply Quote 0
            • L
              lcbbcl @mcury
              last edited by

              @mcury You are right i it didn't work, i was blocking that station to wan and wg also..now i am at the same position

              1 Reply Last reply Reply Quote 0
              • L
                lcbbcl
                last edited by

                I did it with a Lan rule to reject all connections for that station with the wan gateway.
                For some reason using tag is not working.

                M 1 Reply Last reply Reply Quote 0
                • M
                  mcury @lcbbcl
                  last edited by

                  I did it with a Lan rule to reject all connections for that station with the wan gateway.

                  Yes, this would accomplish the same goal.

                  For some reason using tag is not working.

                  You actually don't need to use tag.. Just make sure you are allowing the VPS group to have access to internal resources in case you need, and insert this rule above the reject rule.

                  dead on arrival, nowhere to be found.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.