Floating Rule assistance (block specific traffic when VPN down)



  • I am trying to configure a floating rule to block traffic (WAN) from a specific IP/port (192.168.12.5:47864) when VPN (PIA) goes down, but still allow everything else via WAN on same IP (192.168.12.5).

    Floating rule configuration:

    Action: block
    NOT A QUICK RULE
    Interface: WAN
    Direction: Any
    TCP/IP Version: IPv4
    Protocol: TCP/UDP
    Source: 192.168.12.5
    Source port range (to&from): 47864
    Destination: any
    Destination port range: any
    log: checked
    Description: Kill WAN if VPN DOWN

    FAIL: tested by disabling openvpn, then watched as the traffic resumed on WAN.

    Thanks for help all!


  • LAYER 8 Netgate

    Floating rules on WAN out are post-NAT so you can't match on the source address. It's already been translated.

    Mark the traffic on the rule that sends it to the VPN in the first place then block that mark on WAN out.

    https://forum.pfsense.org/index.php?topic=76015.msg494089#msg494089


Log in to reply