Prevent Certain LAN ips from accessing WAN when OpenVPN goes down

kejianshi

Did you apply some rules to the firewall outside the gui using command line?

m3ki

No I don't. I haven't gotten that desperate yet :D I am hoping someone who made pfSense would be able to shed some light on this.

m3ki

What does this mean: (from the docs)
Policy Route Negation
When a firewall rule directs traffic into the gateway, it bypasses the firewall's normal routing table. Policy route negation is just a rule that passes traffic to other local or VPN-connected networks that does not have a gateway set. By not setting a gateway on that rule it will bypass the gateway group and use the firewall's routing table. These rules should be at the top of the ruleset – or at least above any rules using gateways.

kejianshi

It just means that when you send LAN traffic to VPN as gateway it does an end run around the rest of pfsense rules and that if no gateway is stipulated it will use a default gateway.  Also says these rules belong at the top, which is where you have them.

Doesn't explain to me how to get a down VPN to cease and desist passing traffic.

BLOCK TRAFFIC WHEN VPN IS DOWN would be a great option to add to client VPN settings…

m3ki

Well I specified option in vpn client not to route traffic by default. Because by default it would add a rule to force stuff into vpn. That's why policy based routing works. I can throw stuff at vpn as needed.

Is there another way to mark packets to go to that gateway?

kejianshi

I don't know that that would fix your problems.  No matter how the traffic arrives at the VPN gateway it seems it might get to the WEB unless the VPN blocks traffic when down.  An easy fix would be to run those devices off a second small device that acts as a VPN client, like a small DD-WRT router instead of using pfsense as VPN client.  Then you could easily block any traffic not on a VPN port.  Short of that, I guess we have to wait for answer from ubber genius more than us…

m3ki

ok….. so I feel stupid now :)

I may have some progress now.

I have reread the other post over an over so it seems to somewhat work...
I still forward packets to VPN GW but also added DO NOT NAT rule for 192.168.1.5 on WAN. This seems to do the trick but I don't think it's right packets should theoretically go out. How do I drop them?

Status now if VPN is up olive goes through VPN properly.
If VPN is down Olive cannot ping google.


kejianshi

I wouldn't feel stupid - I didn't think to try killing it there in outbound NAT.  Nice.

m3ki

:) Yeah but stuff still goes out and isp still dropping it I assume. I have to drop it at the firewall.
I wish there was a book on pfsense with some diagram on how packets traverse the firewall.

panz

@m3ki:

the rule I used was…
Anything on WAN interface, Direction OUT,coming from 192.168.1.5 - to Anywhere BLOCK <--- this didnt work.
I also tried same as above going to WAN Subnet. that didnt work either.

I've setup the following rule, works perfectly:
Firewall: Rules –> Floating tab

IMPORTANT: it's NOT a quick rule!
Action: Block
Interface: WAN
Direction: any <-- (if set to OUT, it doesn't work!)
Source : any [here you need to enter 192.168.1.5]
Destination: any
[_/] Log packets that are handled by this rule
Description: FLOAT01_NO_INTERNET_IF_AIRVPN_IS_DOWN

Nadar

To my surprise I just tested this and can confirm the problem on 2.1 RC1. I also use policy routing, not default gateway, to route the VPN traffic, and I have nothing else that passes traffic for packets coming from "VPN subnet". It's seems clear to me that the "pass" on the LAN rule is a match for "pass" and thus no further rules are processed and no more consideration is made to whether that packet should be allowed. What I don't understand is why pfSense fall back to the routing table when the policy routing doesn't work. I can see that this could be wanted behaviour in some cases, but certainly not in all (it could for example route bandwith intensive traffic down an expensive link when the cheap link went down). I disagree that this should be an option in the VPN client, I'd rather have the chance to decide this on a per (policy routing) rule basis.

I havent tested with a floating block rule like panz suggests, but if that indeed works it makes me even more interested to get a detailed explanation to how and when firewall rules are processed. Are the floating rules processed before or after the interface rules, and are they processed several times for a single packet (that is for each interface it passes)? I've yet to find a detailed explanation for this, but I'm sure it must exist here somewhere? It's hard to design rules when you're not sure how they are processed.

panz

@Nadar:

Are the floating rules processed before or after the interface rules, and are they processed several times for a single packet (that is for each interface it passes)? I've yet to find a detailed explanation for this, but I'm sure it must exist here somewhere? It's hard to design rules when you're not sure how they are processed.

Floating rules are processed before the others.

All others interface rules are processed top –> down with the condition: first match = stop processing (so, if a packet matches the rules it encountered, further processing is halted).

One thing to consider is stateful inspection: if a packet is a reply to a legitimate one (= reply packet is matching the table) then it is allowed.

See "Firewalling with OpenBSD's PF packet filter" http://home.nuug.no/~peter/pf/en/

FastLaneJB

Hi all,

This has also been bugging me for a while and I'd just given up but with the event of 2.1 final I decided to reload my firewall from scratch and have another go. Tried a few of the suggestions in this thread that hadn't occured to me before but nothing seemed to work. However I believe I've cracked it in my limited testing and once you see why, the answer is obvious :)

Go to Advanced and then Miscellaneous and down in Gateway Monitoring you'll see "Skip rules when gateway is down" which on my fresh 2.1 install is off by default. It has the following description.

"By default, when a rule has a specific gateway set, and this gateway is down, rule is created and traffic is sent to default gateway.This option overrides that behavior and the rule is not created when gateway is down"

So basically when the VPN Gateway is down it puts the rule in but with the default gateway ruining the whole point.

With this ticked I then set the "Default allow LAN to any rule" and "Default allow LAN IPv6 to any rule" to run if Source is NOT my VPN Alias.

So now those hosts have Internet when the VPN is up via the VPN. When it goes down they lose Internet completely.

Hope this helps others. Took a while to figure it out.

Nadar

Great find FastLaneJB! I simply enabled this (I have a "VPN source net" instead of a VPN source alias - with no default allow rule), and it seems to behave largely as wanted. I do however still get some traffic to and from my "VPN source net" a while after taking down the VPN, but I haven't properly investigated the cause. It could have several reasons, not necessarily related to pfSense, and I'll have to take a closer look to figure out exactly what's happening.

Annasdaddy

thanks to fastlane and everyone else for the information.  Unfortunately, this doesnt seem to work for me.

I am trying to block all LAN traffic when my VPN goes down, and am about ready to drive myself crazy.

Anyone have any thoughts?

cheers

panz

@FastLaneJB:

Hi all,

This has also been bugging me for a while and I'd just given up but with the event of 2.1 final I decided to reload my firewall from scratch and have another go. Tried a few of the suggestions in this thread that hadn't occured to me before but nothing seemed to work. However I believe I've cracked it in my limited testing and once you see why, the answer is obvious :)

Go to Advanced and then Miscellaneous and down in Gateway Monitoring you'll see "Skip rules when gateway is down" which on my fresh 2.1 install is off by default. It has the following description.

"By default, when a rule has a specific gateway set, and this gateway is down, rule is created and traffic is sent to default gateway.This option overrides that behavior and the rule is not created when gateway is down"

So basically when the VPN Gateway is down it puts the rule in but with the default gateway ruining the whole point.

With this ticked I then set the "Default allow LAN to any rule" and "Default allow LAN IPv6 to any rule" to run if Source is NOT my VPN Alias.

So now those hosts have Internet when the VPN is up via the VPN. When it goes down they lose Internet completely.

Hope this helps others. Took a while to figure it out.

This doesn't solve 2 problems.

1. DNS leaks. The pfsense firewall itself will send out DNS queries even if your method is applied;

2. this method doesn't allow the creation of automated rules for VPN traffic itself so, for example, Amazon S3 won't work or will work intermittently, being "caught" by the default deny IPv4/IPv6 rule.

Nadar

@panz:

This doesn't solve 2 problems.

1. DNS leaks. The pfsense firewall itself will send out DNS queries even if your method is applied;

2. this method doesn't allow the creation of automated rules for VPN traffic itself so, for example, Amazon S3 won't work or will work intermittently, being "caught" by the default deny IPv4/IPv6 rule.

I don't see the relevance of your "problems" and this thread. The thread title is "Prevent Certain LAN ips from accessing WAN when OpenVPN goes down", and the way I understand that is that it's about preventing pfSense from rerouting policy routed traffic to the default gateway once the "policy routed gateway" becomes unavailable, and as such it seems spot on.

Regarding 1) That depends on how you configure your network. If you configure the client(s) in question to solely use VPN provided DNS servers, this DNS traffic will also cease when the VPN goes down. I don't know why you would want pfSense itself, or the DNS forwarder, to loose DNS connectivity in that situation, but if that's what you want you could probably also configure them to only use the VPN provider's DNS.

2. I don't even understand what you mean or how you create automated rules for VPN traffic, but provided that these automated rules were created correctly this solution should apply to them as well.

panz

@Nadar:

I don't see the relevance of your "problems" and this thread. The thread title is "Prevent Certain LAN ips from accessing WAN when OpenVPN goes down", and the way I understand that is that it's about preventing pfSense from rerouting policy routed traffic to the default gateway once the "policy routed gateway" becomes unavailable, and as such it seems spot on.

I think that all of us are using a VPN for privacy and security, so preventing DNS leaks is a matter we should deal with.

See https://redmine.pfsense.org/issues/753

@Nadar:

2. I don't even understand what you mean or how you create automated rules for VPN traffic, but provided that these automated rules were created correctly this solution should apply to them as well.

Perhaps you should take a look at your /tmp/rules.debug  ::)

archedraft

I also have my WAN send data through OpenVPN. After about 5 days the VPN goes down and then stops all traffic (which is preferred). Is there a way for pfsense to detect that the VPN connect is down and then automatically restart the service? or maybe there is a way to have a rule that restarts the VPN connection every 3 days?

m3ki

In Client VPN settings there is an option resolv-retry infinite checkbox, or you can passit as a parameter in advanced box.