Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Block LAN host from using WAN gateway

    Scheduled Pinned Locked Moved Firewalling
    9 Posts 2 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      drdoolittle
      last edited by

      Hi all,

      I'm a bit stuck right now with a task that seemed so simple. I have two gateways: WAN and OpenVPN. WAN is the default gateway. What I want is, that a certain host is using the OpenVPN Gateway only and when it gets down, the hosts should not fall back to use the WAN gateway.

      Everything is fine as long as the OpenVPN Gateway is up, all hosts are using it. As soon as it gets down, the hosts revert back to WAN which is okay, but also 192.168.2.200 which is not okay. It is using 192.168.2.1 (a bridged interface with 2x physical LAN nics) as gateway.

      Any ideas?
      fw.jpg_thumb
      fw.jpg

      1 Reply Last reply Reply Quote 0
      • D
        doktornotor Banned
        last edited by

        Use the advanced options to mark the traffic and match/block it in floating rules. There's also this ""Skip rules when gateway is down".

        1 Reply Last reply Reply Quote 0
        • D
          drdoolittle
          last edited by

          Where exactly is the option to mark the traffic? I put the source IP into floating as well but to no avail.

          1 Reply Last reply Reply Quote 0
          • D
            doktornotor Banned
            last edited by

            I said in advanced options.

            1 Reply Last reply Reply Quote 0
            • D
              drdoolittle
              last edited by

              @doktornotor:

              Use the advanced options to mark the traffic and match/block it in floating rules. There's also this ""Skip rules when gateway is down".

              Skip rules will bring the whole internet access down when the VPN is not up, also it is not always certain that this works because pfsense doesn't always report back the right gateway state of the VPN.

              How do I mark the traffic? I suppose you mean the advanced options within the rule? What do I have to put in there to mark it?

              1 Reply Last reply Reply Quote 0
              • D
                doktornotor Banned
                last edited by

                @drdoolittle:

                I suppose you mean the advanced options within the rule? What do I have to put in there to mark it?

                Obviously. Does not matter what you put there. Something to match later on the floating rule via the other box.

                1 Reply Last reply Reply Quote 0
                • D
                  drdoolittle
                  last edited by

                  could you state an example maybe? i'm pretty new to pfsense and firewalling in general.

                  1 Reply Last reply Reply Quote 0
                  • D
                    drdoolittle
                    last edited by

                    Okay I found a solution and want to share it:

                    I have a bridge with LAN + LAN2. I put all those that may have access to OpenVPN & WAN to 192.168.0.0/24 (LAN) and the host that only may access OpenVPN to 192.168.1.0/24 (LAN2). Then I added NAT rules that allow LAN to access both OpenVPN+WAN and then only added a another rule for LAN2 to access the OpenVPN interface only.

                    That did the trick: whenever the OpenVPN connection goes down, LAN still has access to WAN but LAN2 doesn't.

                    1 Reply Last reply Reply Quote 0
                    • D
                      doktornotor Banned
                      last edited by

                      Congrats. So, you did set up an absolutely pointless and unwanted bridge only to unbridge it later on via stupid NAT hack. Wonderful. Rocks. Awesome. Yay.

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.