Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Pass rule blocked on default gateway on VPN

    Scheduled Pinned Locked Moved Firewalling
    15 Posts 3 Posters 632 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • randombitsR
      randombits
      last edited by randombits

      I have ProtonVPN setup as a client and goes via VLAN999 to my AP. I have pfBlockerNG on all interfaces with two pass whilelists at the top. However, on the VPN with those whitelists enabled blocks access to those sites over the VPN. If I disable those lists the VPN works ok all the other interfaces work ok with them on. The lists contain sites that are blocked by some pfblocker lists

      screencapture-192-168-2-210-firewall-rules-php-2024-04-26-10_15_24.png

      Added a couple more images
      screencapture-192-168-2-210-firewall-rules-php-2024-04-26-10_27_23.png screencapture-192-168-2-210-interfaces-assign-php-2024-04-26-10_27_03.png

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @randombits
        last edited by

        @randombits said in Pass rule stopping internet on VPN:

        on the VPN with those whitelists enabled blocks access to those sites over the VPN. If I disable those lists the VPN works ok all the other interfaces work ok with them on.

        Which one? The whitelists?

        Which DNS server do the devices in this subnet use?
        Remember that you have only allowed them to use one of the whitelists or one, that is accessible via VPN.

        randombitsR 2 Replies Last reply Reply Quote 0
        • randombitsR
          randombits @viragomann
          last edited by

          @viragomann Yes the white lists, It appears to work backwards pass rules enabled blocks and disabled (ON) works ok. The DNS are pfsense apart from the ProtonVPN which is 10.8.8.1 given by Proton - I think.

          The sites I used are thepriratebay.org and limetorrents.lol which are whitelisted. With the pass rules on everything else work ok apart from those two sites.

          V 1 Reply Last reply Reply Quote 0
          • randombitsR
            randombits @viragomann
            last edited by randombits

            @viragomann said in Pass rule stopping internet on VPN:

            Remember that you have only allowed them to use one of the whitelists or one, that is accessible via VPN

            Sorry, I'm not sure what you mean.

            Do you mean the whitelists have to go out via the VPN gateway rather than any (*) ? - Although I think I tried that yesterday.

            1 Reply Last reply Reply Quote 0
            • V
              viragomann @randombits
              last edited by

              @randombits said in Pass rule stopping internet on VPN:

              The sites I used are thepriratebay.org and limetorrents.lol which are whitelisted.

              So these two site are the content of the whitelist aliases?

              Not clear, what you try to achieve here.
              The whitlelists obviously include torrent sites, but you allow any source to access them. On the other hand you have a rule to direct any other destinations to the VPN gateway.
              This means, only the two whitelisted sites are going to the default gateway. Is this, what you want?

              So there is arising the question, what is the default gateway?

              What exactly does not work? Accessing the two sites in the whitelist aliases or anything else?

              And again, which DNS server is configured on the device, you have issues?

              randombitsR 1 Reply Last reply Reply Quote 0
              • randombitsR
                randombits @viragomann
                last edited by randombits

                @viragomann The two sites are in the context of the whitelists. The two sites are blocked by existing pfblocker lists so therefore, unblocked in the whitelist at the top of the rules. I assumed the lists would be 'parsed' being in the 999 vlan and passed out to Proton via the gateway at the bottom of the list.

                The idea is to have all torrent data go via proton including the two whitelisted sites. The torrent server is on another server but I was testing using wifi ssid's vlans.

                The default gateway in the wan.

                Incidentally, ALL the traffic goes over a single NIC on a tiny Lenovo server running Proxmox.

                ADSLModem VLAN 1000 > Switch >Proxmox >pfSense
                Wifi AP VLAN 999 . . . . . . .>^

                screencapture-192-168-2-210-firewall-rules-edit-php-2024-04-26-10_46_32.png screencapture-192-168-2-210-system-gateways-php-2024-04-26-10_36_40.png screencapture-192-168-2-210-firewall-rules-php-2024-04-26-10_36_55.png
                screencapture-192-168-2-210-pfblockerng-pfblockerng-category-php-2024-04-26-14_02_52.png
                screencapture-192-168-2-210-pfblockerng-pfblockerng-ip-php-2024-04-26-14_06_28.png

                randombitsR 1 Reply Last reply Reply Quote 0
                • randombitsR
                  randombits @randombits
                  last edited by randombits

                  I've just added again the Proton gateway to each of the whitelist pass rules and seems to be working now - All very odd

                  Swapping back and forth between to wifi ssid could have caused issues and stuck pfsense states ..

                  V 1 Reply Last reply Reply Quote 0
                  • V
                    viragomann @randombits
                    last edited by

                    @randombits
                    Not clear to me, why you got no connection before.
                    As mentioned to whitelist rule would let out the traffic on WAN without the VPN gateway stated, since WAN is the default.
                    But since this rule don't tag the traffic, it should not be blocked by the killswitch.

                    So the only reason I can think of, is that the destination is blocked in the WAN, by your provider.

                    randombitsR 1 Reply Last reply Reply Quote 0
                    • randombitsR
                      randombits @viragomann
                      last edited by

                      @viragomann Definitely not my ISP they don't anything ports,sites etc , for one it works ok via my ISP over my normal wifi ssid.

                      What I think it was the rules were working but blocked from the default WAN via the tagged floating kill switch rule I'm not sure though.

                      V 1 Reply Last reply Reply Quote 0
                      • V
                        viragomann @randombits
                        last edited by

                        @randombits
                        But according to your screenshots, the whitelist rules don't tag the packets. So the kill-switch rule shouldn't be applied to them.

                        randombitsR 1 Reply Last reply Reply Quote 0
                        • randombitsR
                          randombits @viragomann
                          last edited by

                          @viragomann Agreed, All very odd. Having been at this most of yesterday and now today I'll give it a rest for bit !. Thanks for making me think some more - sometimes another pair of eyes helps !

                          randombitsR 1 Reply Last reply Reply Quote 0
                          • randombitsR
                            randombits @randombits
                            last edited by

                            I forgot to add, the whole reason behind this I'm going to change to new fibre ISP that blocks a lot of sites and uses CGNAT๐Ÿ˜ž but faster that my current ADSL.

                            I still can't figure out what the original issue is/was though๐Ÿ˜•

                            Bob.DigB 1 Reply Last reply Reply Quote 0
                            • Bob.DigB
                              Bob.Dig LAYER 8 @randombits
                              last edited by Bob.Dig

                              @randombits said in Pass rule stopping internet on VPN:

                              I still can't figure out what the original issue is/was though๐Ÿ˜•

                              I don't think you can just add two FQDNs and everything is working. Even if you talk about just those two Websites, they will use additional FQDN and CDNs etc.
                              Also using this many "Feeds" for a torrent app is not smart to begin with. All those lists are not for torrenting, most of them are at least partially against it. Just Stop it. Don't use any blocklist for torrenting unless you find one specific for this and your usecase. I don't know one.

                              randombitsR 1 Reply Last reply Reply Quote 0
                              • randombitsR
                                randombits @Bob.Dig
                                last edited by randombits

                                @Bob-Dig The two sites are both in ip ranges and one in the DNS list. I wish to block some 'areas' I download and share torrents with. Admittedly they could be better trimmed more appropriately rather than just add from from the LAN.

                                The problems is with the pass rule list added with default gateway (*) it blocks and doesn't send out via the default gateway, when it's set to the gateway ProtonVPN it works ok, I have no idea why. It does the same if I manually add the pass rule to.

                                The whitelist rule is working but not going out via the default gateway

                                Apr 28 18:11:13,1770012439,vtnet0.999,TORRENTTRAFFIC,pass,4,17,UDP,10.9.99.10,104.31.16.4,55886,443,out,Unk,pfB_WhitelistDNS_v4,104.16.0.0/12,WhitelistDNS_custom_v4,Unknown,dave-PC,null,+
                                Apr 28 18:11:13,1770012439,vtnet0.999,TORRENTTRAFFIC,pass,4,17,UDP,10.9.99.10,104.31.16.4,55886,443,out,Unk,pfB_WhitelistDNS_v4,104.16.0.0/12,WhitelistDNS_custom_v4,Unknown,dave-PC,null,-
                                Apr 28 18:11:13,1770012439,vtnet0.999,TORRENTTRAFFIC,pass,4,17,UDP,10.9.99.10,104.31.16.4,55886,443,out,Unk,pfB_WhitelistDNS_v4,104.16.0.0/12,WhitelistDNS_custom_v4,Unknown,dave-PC,null,-
                                Apr 28 18:11:29,1770012439,vtnet0.999,TORRENTTRAFFIC,pass,4,6,TCP-S,10.9.99.10,162.159.137.6,24703,443,out,Unk,pfB_WhitelistDNS_v4,162.159.128.0/17,WhitelistDNS_custom_v4,Unknown,dave-PC,null,+
                                Apr 28 18:11:29,1770012439,vtnet0.999,TORRENTTRAFFIC,pass,4,6,TCP-S,10.9.99.10,162.159.137.6,24703,443,out,Unk,pfB_WhitelistDNS_v4,162.159.128.0/17,WhitelistDNS_custom_v4,Unknown,dave-PC,null,-
                                Apr 28 18:11:32,1770012439,vtnet0.999,TORRENTTRAFFIC,pass,4,6,TCP-S,10.9.99.10,172.66.44.77,24705,443,out,US,pfB_WhitelistDNS_v4,172.66.40.0/21,WhitelistDNS_custom_v4,Unknown,dave-PC,null,+
                                Apr 28 18:11:32,1770012439,vtnet0.999,TORRENTTRAFFIC,pass,4,6,TCP-S,10.9.99.10,172.66.44.77,24705,443,out,US,pfB_WhitelistDNS_v4,172.66.40.0/21,WhitelistDNS_custom_v4,Unknown,dave-PC,null,-
                                
                                randombitsR 1 Reply Last reply Reply Quote 0
                                • randombitsR
                                  randombits @randombits
                                  last edited by

                                  SOLVED

                                  After a rethink I discovered no auto created outbound NAT rule (set to manual) added that and now everythings works as expected.

                                  1 Reply Last reply Reply Quote 0
                                  • First post
                                    Last post
                                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.