Another "Skip rules when gateway is down"

klasgoeran

Hi!

First of all I just want to say that I need a confirmation on this if this works as I think it does, so please dont erase this thread ;P.

I have activated "Skip rules when gateway is down" in System: Advanced: Miscellaneous. If my VPN service goes down then Im fully safe with no data transfer in or out from me, right?

And if I want one computer that need access to internet anytime (even when VPN is down) then I just need to make a rule in Firewall: Rules: LAN and enter the internal IP -address there, right? (See picture attached)

Hope to get a answer as soon as possible. And sorry for my bad english! :)

Thanks!

asdsad.png_thumb

phil.davis

If the later rules (after the policy-routing one) block the traffic, then the traffic is going to be blocked when the gateway is down.
But if you have some wide pass rule at the end, like "Allow all on LAN", then the traffic will fall through to that.
Your example rule seems OK - it will push all traffic from 192.168.1.5 out the WAN. If you want this to happen only when the VPN is down, then put it in the LAN firewall rules list after the normal policy-routing rule for VPN traffic. That way it only comes into play when the VPN is down.

klasgoeran

@phil.davis:

If the later rules (after the policy-routing one) block the traffic, then the traffic is going to be blocked when the gateway is down.
But if you have some wide pass rule at the end, like "Allow all on LAN", then the traffic will fall through to that.

Your example rule seems OK - it will push all traffic from 192.168.1.5 out the WAN. If you want this to happen only when the VPN is down, then put it in the LAN firewall rules list after the normal policy-routing rule for VPN traffic. That way it only comes into play when the VPN is down.

Thank you very much for a fast reply!

Alright, I think I got this right in my head ;P. Take a look at the attached files and reply if it looks good ( I think so) :)

Dont bother the 192.168.1.30 rule, its just a rule that I activate when Im gonna play some games online (dont need VPN for that). Its the same 192.168.1.5 rule as I mentioned above in this thread.

![Firewall rules.png](/public/imported_attachments/1/Firewall rules.png)
![Firewall rules.png_thumb](/public/imported_attachments/1/Firewall rules.png_thumb)
![IP4 rule vpn.png](/public/imported_attachments/1/IP4 rule vpn.png)
![IP4 rule vpn.png_thumb](/public/imported_attachments/1/IP4 rule vpn.png_thumb)

Derelict

In the advanced section of the rule that forwards traffic to the VPN, you can set a mark that says NO_WAN_EGRESS.

Then you can make a floating Reject rule on WAN out, quick, that blocks traffic from any to any if that mark is set.

Don't want traffic to ever go out WAN? Pass it with a special rule and set that mark. Done. Have Multiple WANs? Put them all in an interface group and use the group in your floating rule instead.

Then you can leave all the system-wide routing checkboxes in their default state and avoid unintended consequences of changing the behavior of all your routes and gateways.

klasgoeran

@Derelict:

In the advanced section of the rule that forwards traffic to the VPN, you can set a mark that says NO_WAN_EGRESS.

Then you can make a floating Reject rule on WAN out, quick, that blocks traffic from any to any if that mark is set.

Don't want traffic to ever go out WAN? Pass it with a special rule and set that mark. Done. Have Multiple WANs? Put them all in an interface group and use the group in your floating rule instead.

Then you can leave all the system-wide routing checkboxes in their default state and avoid unintended consequences of changing the behavior of all your routes and gateways.

Where is this "advanced section"? And is "NO_WAN_EGRESS" a command and pfsense know what to do with that? Sorry for the dumb question, but I cant find where to put"NO_WAN_EGRESS" exactly.

It seems to work like I have it now. If I disable VPN then there is no internet (cant browse or ping websites), and if I activate it again then the internet is up again and running with VPN :)

doktornotor

@klasgoeran:

Where is this "advanced section"?

@klasgoeran:

And is "NO_WAN_EGRESS" a command and pfsense know what to do with that? Sorry for the dumb question, but I cant find where to put"NO_WAN_EGRESS" exactly.

No, it's a mark you can use to match packets later in another rule. See the box just below.

klasgoeran

@doktornotor:

@klasgoeran:

Where is this "advanced section"?

@klasgoeran:

And is "NO_WAN_EGRESS" a command and pfsense know what to do with that? Sorry for the dumb question, but I cant find where to put"NO_WAN_EGRESS" exactly.

No, it's a mark you can use to match packets later in another rule. See the box just below.

Thanks for the clearance!

But geez, this is above my acknowledge of PfSense. So Im asking kindly if you have time and patience to make a little tutorial with nice pictures so I know how to do? If you dont want its okey. It must be pretty annoying with all these questions.

klasgoeran

I hope that the last rule will block anything when the VPN goes down, except the rule for 192.168.1.30 when its activated? ( Changed to "Block" instead of "Reject" )

![IP4 rule vpn.png](/public/imported_attachments/1/IP4 rule vpn.png)
![IP4 rule vpn.png_thumb](/public/imported_attachments/1/IP4 rule vpn.png_thumb)

phil.davis

Yes, that should work as it is, but;
The last block rule does not need a gateway specified - the gateway is an action to take when a packet is passed, on a block rule there are no passed packets to send anywhere. It will be clearer if you remove the gateway from the block rule.
The WAN_EGRESS stuff is also a good idea for protection. That is putting a check on packets as they leave WAN. When the packets first arrive on LAN they are given the tag. Because of the gateway in the LAN rule they are expected to go out the VPN. If for some reason the system gets in some state that the packets are being sent out WAN, then the floating rule on WAN out can check and drop/block any packets it sees with that tag.

Derelict

I also use floating rules on WAN out to prevent egress of RFC1918 destined packets, etc.

Tags are also the only way to match packets from a specific LAN source on WAN out because NAT has already translated the source address at that point in the flow.

It's not that complicated and can solve a lot of otherwise tricky problems.

klasgoeran

@Derelict:

I also use floating rules on WAN out to prevent egress of RFC1918 destined packets, etc.

Tags are also the only way to match packets from a specific LAN source on WAN out because NAT has already translated the source address at that point in the flow.

It's not that complicated and can solve a lot of otherwise tricky problems.

So, if I want to do this like you do (block wan activity when the VPN goes down), I need to do it this way?

Firewall: Rules -> Floating tab

Action: Block
Not a quick rule
Interface: WAN
Direction: any
Source : any
Destination: any
Description: No internet if VPN goes down

And what more do I need to do to get all this working with "NO_WAN_EGRESS" ?

Maybe anyone have a nice tutorial with pictures on how to do this the right way?

EDIT: Found this https://forum.pfsense.org/index.php?topic=65331.msg364294#msg364294 .

But there should be no DNS leaks if I have entered PfSense to use my VPNs dns addresses all the time, right? Because if I add a rule to a specific computer to use the standard WAN when VPN is down, then it get my ISP ip address, but it keeps my VPNs dns address, because I entered it in the general setup of PfSense?

Thanks for future answer!