VPN Gateway leak prevention

c0dyhi11

Hello all,

I've been trying to figure out how to prevent leaking of certain systems when my VPN is down. If I set my WAN to the "Default Gateway" in "[System] > [Routing] > [Gateways]".

I have rules on my LAN interface to set the Gateway for my "vpnd_ips" alias (A list of 3x hosts I want to only egress out of the VPN).

It all works fine until the VPN goes down. At that point the rule I guess flips back to the "Default Gateway" (WAN). So now all of that traffic is going out the main WAN.
I'd prefer this traffic to just not have internet access.

I've then tried the reverse. Where the "Default Gateway" is the VPN and I create a rule where I set the Gateway to WAN for NOT my "vpnd_ips" alias.

This seems to work... Until the VPN goes down, and then PFSense itself can't reconnect the VPN, because its Gateway (The Default) is set to the VPN (Which is now down).

I might be going about this the wrong way... So I'm open to suggestions, But what I'm trying to do is have an alias of IPs only be able to egress out of a VPN. And if that VPN goes down, then just have no route available. And have all other traffic other than that alias be able to use the WAN as usual.

Thanks!

stephenw10

In System > Advanced > Misc set: 'Skip rules when gateway is down'.

Leave the system default gateway as WAN_DHCP.

Then add rules on your LAN like:

Pass VPNd_IPs to any via VPN gateway
Reject VPNd_IPs to any
Pass LAN net to any

Steve

c0dyhi11

@stephenw10
You sir are amazing!
Thanks a bunch!!