[Solved] How to block traffic when VPN is down



  • Hi,
    How do you stop a traffic that is supposed to go to a vpn gateway when the vpn is down? I am using a vpn service and configured it following a tutorial I found here. It works with no problem, I configured using firewall rules to allow only specific traffic to go through the vpn gateway. My problem is that when the vpn is down all the traffic that should go through the vpn gateway get redirected to the default gateway which is what i dont want it to do. I want the traffic to be blocked if the vpn is down. How can i do this? Thanks.



  • I think I have solved this by making nat outbound rules to disable nat on wan interface for traffic that should go through the vpn. I have set one pc in my network to only access the vpn by creating firewall rule to go through vpn gateway and create a nat disable rule on wan interface then putting the nat rule on top. While the vpn is running it can traceroute google with no problem and when vpn is down traceroute would not work. I also tried pinging google and it also wouldnt work when the vpn is down. Looks ok to me.



  • That's an option. It's still going out WAN in that case, but it won't actually reach the destination. Or shouldn't, your ISP should be dropping private IP sourced traffic. It could theoretically make it all the way to its destination but the reply won't go back.

    You can actually block that traffic using a quick floating rule matching out on WAN.



  • I have added the floating rule like you said blocking lan subnet from going out wan and it is working. I enabled logging and can see the traffic being blocked when i disable vpn. Try pinging gives 'Destination host unreachable' instead of just telling packet loss. I believe the problem is now completely solved, thanks for the tip.



  • Can someone explain please, perhaps with a screenshot, how to apply this floating rule for a single client? I have 3 clients in the network and only one is using the VPN connection established with pfSense.
    Now i tried 2 days to block traffic on this client in case of shutting down the VPN connection.

    thanks in advance



  • I suppose the OP talks about a setup similar to this one:

    NAT Manual Outbound Overview

    NAT deny Rule

    Firewall Rules



  • Thank you very much deltalord. It works very well.


Log in to reply