Prevent Certain LAN ips from accessing WAN when OpenVPN goes down

m3ki

Alright I tried rules below.
If 192.168.1.5 -> VPN is enabled and vpn gateway is down. Traffic from 192.168.1.5 still flows to ISP.
If the rule is disabled then 192.168.1.5 cannot ping anything.

So it seems that the moment the traffic is redirected to VPN gateway rest of the routing table is skipped.

Any ideas?


kejianshi

Well - What ports are needed for DNS, OpenVPN and little things like that?
You could close everything on LAN, and only allow from LAN subnet to pfsense LAN IP (lets call it 192.168.1.1 for simplicity)

That would kill all traffic to the NET.

Then you could allow only that 1 port that openvpn needs out from LAN 192.168.1.5 to *.

That should do it.  One would think.

(Is the vpn client on the computer 192.168.1.5, or is pfsense the client?)
This is easier to do if the computer in question is the client and not pfsense as client.

m3ki

That's the thing the moment traffic is redirected to VPN Gateway every other rule seems to be skipped.

I am trying to wrap my head around this:
Policy Route Negation
When a firewall rule directs traffic into the gateway, it bypasses the firewall's normal routing table. Policy route negation is just a rule that passes traffic to other local or VPN-connected networks that does not have a gateway set. By not setting a gateway on that rule it will bypass the gateway group and use the firewall's routing table. These rules should be at the top of the ruleset – or at least above any rules using gateways.

Am I supposed to create another rule somewhere ?

kejianshi

I'd just make the computer the client directly and that solves so many issues.
If its a windows machine or a MAC, this is really easy.  If its some server, maybe not as easy.

m3ki

Haha yeah… that would be simpler.

What I want is:

Have 3x machines -> ISP
TV -> flow to US VPN
NAS -> Some other VPN

If OpenVPN links go down BLOCK TV and NAS from accessing outside world.
I did this with DDWRT before but I have no idea how to do this with PFsense. I must be missing something simple.

kejianshi

OK - I want to be sure about this, so I'll list a list of conditions.  Tell me which are true or false for you.

Your distant VPN server uses a fixed IP?

If your VPN drops you want everything connected to pfsense to not be able to access internet?

m3ki

@kejianshi:

OK - I want to be sure about this, so I'll list a list of conditions.  Tell me which are true or false for you.

Your distant VPN server uses a fixed IP?
NO It's dynamic. Using OpenVPN Client in pfsense

If your VPN drops you want everything connected to pfsense to not be able to access internet?
No only machines forwarded to VPN Gateway

kejianshi

In that case, not sure…  I'll be reading along and thinking about it a while.

kejianshi

You posted a screen shot above.  I cant see the whole page.  Can you repost the screen shot to include the interface tabs etc?

m3ki

Here you go


m3ki

This can easily be done using iptables I just don't know how to do it here.

Idea is mark packets to go to either one routing table or another. then if packet still arrives to unwanted interface drop it. I have my iptables rules in earlier  posts.

kejianshi

The rules, as they are now, pass everything.  For sure.  First you pass 192.168.1.5, and then you pass everything that isn't 192.168.1.5.
So, that everything.

For the first one, shouldn’t you specify a destination gateway?

m3ki

Yeah sorry I was doing some other tests to see here are the rules as they are now. OpenVPN gateway is down and I can still ping outside from 192.168.1.5


kejianshi

So, if you put in a rule immediately after the pass 192.168.1.5 to olive rule and you made it a block 192.168.1.5 to anywhere rule, I wonder what that would do?

Second what is the subnet the VPN is using?  I have 1 last question after this…

m3ki

Like so ?
Still lets traffic go though ISP.


kejianshi

If none of this works, I'm thinking this.

Traffic should go from 192.168.1.5 > some VPN subnet > WAN > VPN

(my understanding could be bad)

But, if you put a rule on the WAN to block any traffic that is source 192.168.1.5 and destination * that should block 192.168.1.5 when its not using VPN for sure.  Not sure if it will also block it when inside VPN also.  Never tried it.  Its easy to do, try and undo if needed.  Maybe try it.

If blocking 192.168.1.5 at the wan doesn't work or if it completely breaks 192.168.1.5 then I'm fresh out of unique and amazing ideas.

m3ki

Like so?
You would think this would work ;) So did I, I think this was the first think i tried.

anyway tried it again same thing.


kejianshi

Just an idle question?  Do you have a floating rule that says pass anything to anything because this is getting strange?
And are you sure the computer in question's IP is actually 192.168.1.5?

m3ki

hehe..
no but I have block source 192.168.1.5 to anywhere. Doesnt work either.

kejianshi

So, its going to the VPN as a gateway and then that gateway is sending to the openweb when the vpn fails.

Maybe make a rule on the WAN that blocks anything from source interface BOLEVPN that isn't on that one port that openvpn needs.

This isn't multi-public-IP system right?  Just 1 WAN?