Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    VPN Gateway leak prevention

    Scheduled Pinned Locked Moved General pfSense Questions
    3 Posts 2 Posters 461 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • c0dyhi11C
      c0dyhi11
      last edited by

      Hello all,

      I've been trying to figure out how to prevent leaking of certain systems when my VPN is down. If I set my WAN to the "Default Gateway" in "[System] > [Routing] > [Gateways]".

      e7013a85-5201-4bb1-bbe3-043f38b97f6b-image.png
      I have rules on my LAN interface to set the Gateway for my "vpnd_ips" alias (A list of 3x hosts I want to only egress out of the VPN).

      a1201ad5-a4e4-4a55-8533-fe8c66495a3b-image.png
      It all works fine until the VPN goes down. At that point the rule I guess flips back to the "Default Gateway" (WAN). So now all of that traffic is going out the main WAN.
      I'd prefer this traffic to just not have internet access.

      I've then tried the reverse. Where the "Default Gateway" is the VPN and I create a rule where I set the Gateway to WAN for NOT my "vpnd_ips" alias.
      864727d7-6654-4b36-8802-ac3de1596874-image.png
      6f2de9b4-91ac-4f77-a160-e6ac909cbd67-image.png

      This seems to work... Until the VPN goes down, and then PFSense itself can't reconnect the VPN, because its Gateway (The Default) is set to the VPN (Which is now down).

      I might be going about this the wrong way... So I'm open to suggestions, But what I'm trying to do is have an alias of IPs only be able to egress out of a VPN. And if that VPN goes down, then just have no route available. And have all other traffic other than that alias be able to use the WAN as usual.

      Thanks!

      1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        In System > Advanced > Misc set: 'Skip rules when gateway is down'.

        Leave the system default gateway as WAN_DHCP.

        Then add rules on your LAN like:

        Pass VPNd_IPs to any via VPN gateway
        Reject VPNd_IPs to any
        Pass LAN net to any

        Steve

        c0dyhi11C 1 Reply Last reply Reply Quote 2
        • c0dyhi11C
          c0dyhi11 @stephenw10
          last edited by

          @stephenw10
          You sir are amazing!
          Thanks a bunch!!

          1 Reply Last reply Reply Quote 1
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.