• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

[Solved] How to block traffic when VPN is down

Scheduled Pinned Locked Moved OpenVPN
7 Posts 4 Posters 11.1k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • L
    luniq
    last edited by Feb 11, 2013, 2:28 PM Feb 8, 2013, 8:06 PM

    Hi,
    How do you stop a traffic that is supposed to go to a vpn gateway when the vpn is down? I am using a vpn service and configured it following a tutorial I found here. It works with no problem, I configured using firewall rules to allow only specific traffic to go through the vpn gateway. My problem is that when the vpn is down all the traffic that should go through the vpn gateway get redirected to the default gateway which is what i dont want it to do. I want the traffic to be blocked if the vpn is down. How can i do this? Thanks.

    1 Reply Last reply Reply Quote 0
    • L
      luniq
      last edited by Feb 11, 2013, 11:49 AM

      I think I have solved this by making nat outbound rules to disable nat on wan interface for traffic that should go through the vpn. I have set one pc in my network to only access the vpn by creating firewall rule to go through vpn gateway and create a nat disable rule on wan interface then putting the nat rule on top. While the vpn is running it can traceroute google with no problem and when vpn is down traceroute would not work. I also tried pinging google and it also wouldnt work when the vpn is down. Looks ok to me.

      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by Feb 11, 2013, 12:13 PM

        That's an option. It's still going out WAN in that case, but it won't actually reach the destination. Or shouldn't, your ISP should be dropping private IP sourced traffic. It could theoretically make it all the way to its destination but the reply won't go back.

        You can actually block that traffic using a quick floating rule matching out on WAN.

        1 Reply Last reply Reply Quote 0
        • L
          luniq
          last edited by Feb 11, 2013, 2:27 PM

          I have added the floating rule like you said blocking lan subnet from going out wan and it is working. I enabled logging and can see the traffic being blocked when i disable vpn. Try pinging gives 'Destination host unreachable' instead of just telling packet loss. I believe the problem is now completely solved, thanks for the tip.

          1 Reply Last reply Reply Quote 0
          • G
            gekko
            last edited by Mar 7, 2013, 6:20 PM Mar 7, 2013, 6:04 PM

            Can someone explain please, perhaps with a screenshot, how to apply this floating rule for a single client? I have 3 clients in the network and only one is using the VPN connection established with pfSense.
            Now i tried 2 days to block traffic on this client in case of shutting down the VPN connection.

            thanks in advance

            1 Reply Last reply Reply Quote 0
            • D
              deltalord
              last edited by Mar 11, 2013, 11:43 AM

              I suppose the OP talks about a setup similar to this one:

              NAT Manual Outbound Overview

              NAT deny Rule

              Firewall Rules

              1 Reply Last reply Reply Quote 0
              • G
                gekko
                last edited by Mar 11, 2013, 4:44 PM

                Thank you very much deltalord. It works very well.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                  [[user:consent.lead]]
                  [[user:consent.not_received]]