Help: Block LAN PC Access to WAN when VPN is Down

  • I currently have pfSense configured with WAN (WAN_DHCP), LAN, and OpenVPN interfaces.  The OpenVPN connection is to my commercial VPN provider Private Internet Access (PIAVPN_VPNV4).  The WAN interface is setup as the default gateway.

    I am trying to setup the firewall rules so that traffic from one specific LAN PC ( will always get routed to the OpenVPN gateway (PIA_VPN) and if that interface goes down or becomes unavailable, traffic from that LAN PC to the WAN will be blocked or rejected.

    As currently configured, everything works great EXCEPT for when the OpenVPN goes down.  When that happens, traffic from the designated LAN PC starts moving over the WAN interface.

    Any help adjusting the configuration is appreciated!

    My firewall and NAT rules are attached:

    ![NAT Rules.JPG](/public/imported_attachments/1/NAT Rules.JPG)
    ![NAT Rules.JPG_thumb](/public/imported_attachments/1/NAT Rules.JPG_thumb)
    ![Firewall Rules.jpg_thumb](/public/imported_attachments/1/Firewall Rules.jpg_thumb)
    ![Firewall Rules.jpg](/public/imported_attachments/1/Firewall Rules.jpg)

  • I guess your "block" rule will never fire. You set up logging for it but I expect you will never see a log entry for it.
    What you are doing is policy based routing that means the gateway is not part of the evaluation - it is rather part of the execution of the rule. So unless I'm wrong your first "allow" rule will always catch the traffic for and the second "block" rule will never fire.

  • Thanks - yeah, the block rule is definitely not kicking in.

    What can I do then to affect the setup I'm looking for?  How to "force" all the traffic from the single IP address ( to only use the VPN gateway and NEVER go over the WAN gateway?


  • That block rule will never match. Setting the box under System>Advanced to skip rules for which a gateway is down would accomplish that, though take the gateway out of the block rule.

Log in to reply