Prevent Certain LAN ips from accessing WAN when OpenVPN goes down



  • Hi,

    I hope this is the right place to ask this. I have been browsing forum trying to find the solution and no result. http://forum.pfsense.org/index.php/topic,58694.0.html seemed similar but none of the solutions worked.

    I have setup an openVPN client it is connecting correctly. I also implemented route-noexec so the traffic doesn't automatically flow LAN -> VPN.
    I have an interface setup let's call it BVPN.

    In firewall rules I have one rule above the default lan one that says anything coming from ip 192.168.1.5 -> go to gateway BVPN. <– this works. and only that ip goes to VPN and the rest of lan goes to ISP.

    Now my problem is if VPN connection goes down. Traffic from 192.168.1.5 automatically flows to ISP.

    I tried solutions from above url they didn't seem to work. :(

    I am coming from DDWRT and had this working with multiple VPNs using a startup script.

    And had this implemented using iptables and marking packets like so.
    IspGateway=$(ip route list table main | awk '/default/ { print $3}')
    Tun0Gateway=$(ip route list table main | awk '/tun0/ { print $1}'

    ip rule add fwmark 1 table main # ISP
    ip rule add fwmark 2 table 2 # Tunnel 0
    ip route add default via $Tun0Gateway dev tun0 table 2 #Send out vpn Tunnel

    I would mark a packet like so
    iptables -A PREROUTING -t mangle -s 192.168.1.5  -j MARK --set-mark 2

    and packets would be dropped like so if connection is down(eth1 is WAN interface).
    iptables -I FORWARD -s 192.168.1.5 -o eth1 -j DROP

    Can anyone help me please I have no idea how to accomplish this with pfsense :(



  • The advice from cmb should work - http://forum.pfsense.org/index.php/topic,58694.msg315225.html#msg315225
    Post your "quick floating rule matching out on WAN" and we can try to sort out the detail of it.



  • Hi Phil,

    Thank you for your reply!
    I am not at home at the moment.

    But the rule I used was…
    Anything on WAN interface, Direction OUT,coming from 192.168.1.5 - to Anywhere BLOCK <--- this didnt work.
    I also tried same as above going to WAN Subnet. that didnt work either.

    I tried packet capture and it seems that I only see my pings coming from 192.168.1.5 on LAN I am not sure if that helps.

    Is there a documentation/diagram anywhere displaying how packets are traversed and in which order rules are applied?

    Ig.



  • Firewall rules are always applied to to down.
    Firewall rules are always applied on the interface on which they come in (well, floating rules are an exception, but these are more complicated)
    .
    So to block traffic for your 192.168.1.5 on the LAN interface, you need to add the block rule on the LAN interface.

    Now i'm not sure but i suspect that since your VPN interface is down, the rule which redirects traffic for your client doesn't apply anymore (don't take my word on this, i'm really not sure).

    What i would do:

    • Create an alias containing all your "is only allowed via VPN" clients. (Firewall–>Aliases). Lets call it VPN_USERS
    • Change your redirect rule to: "source: VPN_USERS, gateway: VPN_gateway"
    • Change the default allow all rule to: "source: NOT VPN_USERS"

    In The end you would have 2 rules:
    1: rule to allow VPN_USERS to the VPN, which forces traffic directly to the VPN gateway
    2: rule to allow everyone except the VPN_USERS to wherever the routing table allows.



  • Ahah ok that makes sense I guess it's possible I have to try that when I get home.

    I tried this last night and it didnt work.
    ALLOW source: 192.168.1.5, gateway: VPN_gateway <–- i assumed this would be skipped if vpn gateway is down.
    BLOCK source: 192.168.1.5, anywhere < --- and this would be triggered
    ALLOW source: lan, *

    Is there a way to see which rules which packet hits?



  • On 2.1-RC1 the firewall log lets you display the rule number and description of the packets logged.
    (I suspect that is new to 2.1, so won't be in 2.0.n - it is quickly getting to the point where 2.1 needs to get released and everyone upgrade, then we can all forget about what features might or might not be in 2.0.n)



  • Is there a way to definitively know that a rule gets skipped if  VPN_gateway is down?

    since this didnt work.
    IN LAN TAB
    ALLOW source: 192.168.1.5, gateway: VPN_gateway <–- i assumed this would be skipped if vpn gateway is down and would go to next rule.
    BLOCK source: 192.168.1.5, anywhere < --- and this would be triggered
    ALLOW source: lan, *



  • Alright I tried rules below.
    If 192.168.1.5 -> VPN is enabled and vpn gateway is down. Traffic from 192.168.1.5 still flows to ISP.
    If the rule is disabled then 192.168.1.5 cannot ping anything.

    So it seems that the moment the traffic is redirected to VPN gateway rest of the routing table is skipped.

    Any ideas?

    ![Screen Shot 2013-08-09 at 6.10.24 PM.png](/public/imported_attachments/1/Screen Shot 2013-08-09 at 6.10.24 PM.png)
    ![Screen Shot 2013-08-09 at 6.10.24 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2013-08-09 at 6.10.24 PM.png_thumb)



  • Well - What ports are needed for DNS, OpenVPN and little things like that?
    You could close everything on LAN, and only allow from LAN subnet to pfsense LAN IP (lets call it 192.168.1.1 for simplicity)

    That would kill all traffic to the NET.

    Then you could allow only that 1 port that openvpn needs out from LAN 192.168.1.5 to *.

    That should do it.  One would think.

    (Is the vpn client on the computer 192.168.1.5, or is pfsense the client?)
    This is easier to do if the computer in question is the client and not pfsense as client.



  • That's the thing the moment traffic is redirected to VPN Gateway every other rule seems to be skipped.

    I am trying to wrap my head around this:
    Policy Route Negation
    When a firewall rule directs traffic into the gateway, it bypasses the firewall's normal routing table. Policy route negation is just a rule that passes traffic to other local or VPN-connected networks that does not have a gateway set. By not setting a gateway on that rule it will bypass the gateway group and use the firewall's routing table. These rules should be at the top of the ruleset – or at least above any rules using gateways.

    Am I supposed to create another rule somewhere ?



  • I'd just make the computer the client directly and that solves so many issues.
    If its a windows machine or a MAC, this is really easy.  If its some server, maybe not as easy.



  • Haha yeah… that would be simpler.

    What I want is:

    Have 3x machines -> ISP
    TV -> flow to US VPN
    NAS -> Some other VPN

    If OpenVPN links go down BLOCK TV and NAS from accessing outside world.
    I did this with DDWRT before but I have no idea how to do this with PFsense. I must be missing something simple.



  • OK - I want to be sure about this, so I'll list a list of conditions.  Tell me which are true or false for you.

    Your distant VPN server uses a fixed IP?

    If your VPN drops you want everything connected to pfsense to not be able to access internet?



  • @kejianshi:

    OK - I want to be sure about this, so I'll list a list of conditions.  Tell me which are true or false for you.

    Your distant VPN server uses a fixed IP?
    NO It's dynamic. Using OpenVPN Client in pfsense

    If your VPN drops you want everything connected to pfsense to not be able to access internet?
    No only machines forwarded to VPN Gateway



  • In that case, not sure…  I'll be reading along and thinking about it a while.



  • You posted a screen shot above.  I cant see the whole page.  Can you repost the screen shot to include the interface tabs etc?



  • Here you go

    ![Screen Shot 2013-08-09 at 7.12.12 PM.png](/public/imported_attachments/1/Screen Shot 2013-08-09 at 7.12.12 PM.png)
    ![Screen Shot 2013-08-09 at 7.12.12 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2013-08-09 at 7.12.12 PM.png_thumb)



  • This can easily be done using iptables I just don't know how to do it here.

    Idea is mark packets to go to either one routing table or another. then if packet still arrives to unwanted interface drop it. I have my iptables rules in earlier  posts.



  • The rules, as they are now, pass everything.  For sure.  First you pass 192.168.1.5, and then you pass everything that isn't 192.168.1.5.
    So, that everything.

    For the first one, shouldn’t you specify a destination gateway?



  • Yeah sorry I was doing some other tests to see here are the rules as they are now. OpenVPN gateway is down and I can still ping outside from 192.168.1.5

    ![Screen Shot 2013-08-09 at 7.20.11 PM.png](/public/imported_attachments/1/Screen Shot 2013-08-09 at 7.20.11 PM.png)
    ![Screen Shot 2013-08-09 at 7.20.11 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2013-08-09 at 7.20.11 PM.png_thumb)



  • So, if you put in a rule immediately after the pass 192.168.1.5 to olive rule and you made it a block 192.168.1.5 to anywhere rule, I wonder what that would do?

    Second what is the subnet the VPN is using?  I have 1 last question after this…



  • Like so ?
    Still lets traffic go though ISP.

    ![Screen Shot 2013-08-09 at 7.40.15 PM.png](/public/imported_attachments/1/Screen Shot 2013-08-09 at 7.40.15 PM.png)
    ![Screen Shot 2013-08-09 at 7.40.15 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2013-08-09 at 7.40.15 PM.png_thumb)



  • If none of this works, I'm thinking this.

    Traffic should go from 192.168.1.5 > some VPN subnet > WAN > VPN

    (my understanding could be bad)

    But, if you put a rule on the WAN to block any traffic that is source 192.168.1.5 and destination * that should block 192.168.1.5 when its not using VPN for sure.  Not sure if it will also block it when inside VPN also.  Never tried it.  Its easy to do, try and undo if needed.  Maybe try it.

    If blocking 192.168.1.5 at the wan doesn't work or if it completely breaks 192.168.1.5 then I'm fresh out of unique and amazing ideas.



  • Like so?
    You would think this would work ;) So did I, I think this was the first think i tried.

    anyway tried it again same thing.

    ![Screen Shot 2013-08-09 at 7.49.51 PM.png](/public/imported_attachments/1/Screen Shot 2013-08-09 at 7.49.51 PM.png)
    ![Screen Shot 2013-08-09 at 7.49.51 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2013-08-09 at 7.49.51 PM.png_thumb)



  • Just an idle question?  Do you have a floating rule that says pass anything to anything because this is getting strange?
    And are you sure the computer in question's IP is actually 192.168.1.5?



  • hehe..
    no but I have block source 192.168.1.5 to anywhere. Doesnt work either.



  • So, its going to the VPN as a gateway and then that gateway is sending to the openweb when the vpn fails.

    Maybe make a rule on the WAN that blocks anything from source interface BOLEVPN that isn't on that one port that openvpn needs.

    This isn't multi-public-IP system right?  Just 1 WAN?



  • I really hoped that would work but no :(
    It seems the rules are being bypassed and traffic just jumps to VPN gateway.



  • Did you apply some rules to the firewall outside the gui using command line?



  • No I don't. I haven't gotten that desperate yet :D I am hoping someone who made pfSense would be able to shed some light on this.



  • What does this mean: (from the docs)
    Policy Route Negation
    When a firewall rule directs traffic into the gateway, it bypasses the firewall's normal routing table. Policy route negation is just a rule that passes traffic to other local or VPN-connected networks that does not have a gateway set. By not setting a gateway on that rule it will bypass the gateway group and use the firewall's routing table. These rules should be at the top of the ruleset – or at least above any rules using gateways.



  • It just means that when you send LAN traffic to VPN as gateway it does an end run around the rest of pfsense rules and that if no gateway is stipulated it will use a default gateway.  Also says these rules belong at the top, which is where you have them.

    Doesn't explain to me how to get a down VPN to cease and desist passing traffic.

    BLOCK TRAFFIC WHEN VPN IS DOWN would be a great option to add to client VPN settings…



  • Well I specified option in vpn client not to route traffic by default. Because by default it would add a rule to force stuff into vpn. That's why policy based routing works. I can throw stuff at vpn as needed.

    Is there another way to mark packets to go to that gateway?



  • I don't know that that would fix your problems.  No matter how the traffic arrives at the VPN gateway it seems it might get to the WEB unless the VPN blocks traffic when down.  An easy fix would be to run those devices off a second small device that acts as a VPN client, like a small DD-WRT router instead of using pfsense as VPN client.  Then you could easily block any traffic not on a VPN port.  Short of that, I guess we have to wait for answer from ubber genius more than us…



  • ok….. so I feel stupid now :)

    I may have some progress now.

    I have reread the other post over an over so it seems to somewhat work...
    I still forward packets to VPN GW but also added DO NOT NAT rule for 192.168.1.5 on WAN. This seems to do the trick but I don't think it's right packets should theoretically go out. How do I drop them?

    Status now if VPN is up olive goes through VPN properly.
    If VPN is down Olive cannot ping google.

    ![Screen Shot 2013-08-10 at 9.57.53 AM.png](/public/imported_attachments/1/Screen Shot 2013-08-10 at 9.57.53 AM.png)
    ![Screen Shot 2013-08-10 at 9.57.53 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2013-08-10 at 9.57.53 AM.png_thumb)
    ![Screen Shot 2013-08-10 at 9.56.43 AM.png](/public/imported_attachments/1/Screen Shot 2013-08-10 at 9.56.43 AM.png)
    ![Screen Shot 2013-08-10 at 9.56.43 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2013-08-10 at 9.56.43 AM.png_thumb)



  • I wouldn't feel stupid - I didn't think to try killing it there in outbound NAT.  Nice.



  • :) Yeah but stuff still goes out and isp still dropping it I assume. I have to drop it at the firewall.
    I wish there was a book on pfsense with some diagram on how packets traverse the firewall.



  • @m3ki:

    the rule I used was…
    Anything on WAN interface, Direction OUT,coming from 192.168.1.5 - to Anywhere BLOCK <--- this didnt work.
    I also tried same as above going to WAN Subnet. that didnt work either.

    I've setup the following rule, works perfectly:
    Firewall: Rules –> Floating tab

    IMPORTANT: it's NOT a quick rule!
    Action: Block
    Interface: WAN
    Direction: any <-- (if set to OUT, it doesn't work!)
    Source : any [here you need to enter 192.168.1.5]
    Destination: any
    [_/] Log packets that are handled by this rule
    Description: FLOAT01_NO_INTERNET_IF_AIRVPN_IS_DOWN



  • To my surprise I just tested this and can confirm the problem on 2.1 RC1. I also use policy routing, not default gateway, to route the VPN traffic, and I have nothing else that passes traffic for packets coming from "VPN subnet". It's seems clear to me that the "pass" on the LAN rule is a match for "pass" and thus no further rules are processed and no more consideration is made to whether that packet should be allowed. What I don't understand is why pfSense fall back to the routing table when the policy routing doesn't work. I can see that this could be wanted behaviour in some cases, but certainly not in all (it could for example route bandwith intensive traffic down an expensive link when the cheap link went down). I disagree that this should be an option in the VPN client, I'd rather have the chance to decide this on a per (policy routing) rule basis.

    I havent tested with a floating block rule like panz suggests, but if that indeed works it makes me even more interested to get a detailed explanation to how and when firewall rules are processed. Are the floating rules processed before or after the interface rules, and are they processed several times for a single packet (that is for each interface it passes)? I've yet to find a detailed explanation for this, but I'm sure it must exist here somewhere? It's hard to design rules when you're not sure how they are processed.



  • @Nadar:

    Are the floating rules processed before or after the interface rules, and are they processed several times for a single packet (that is for each interface it passes)? I've yet to find a detailed explanation for this, but I'm sure it must exist here somewhere? It's hard to design rules when you're not sure how they are processed.

    Floating rules are processed before the others.

    All others interface rules are processed top –> down with the condition: first match = stop processing (so, if a packet matches the rules it encountered, further processing is halted).

    One thing to consider is stateful inspection: if a packet is a reply to a legitimate one (= reply packet is matching the table) then it is allowed.

    See "Firewalling with OpenBSD's PF packet filter" http://home.nuug.no/~peter/pf/en/


Log in to reply