Block LAN host from using WAN gateway
-
Hi all,
I'm a bit stuck right now with a task that seemed so simple. I have two gateways: WAN and OpenVPN. WAN is the default gateway. What I want is, that a certain host is using the OpenVPN Gateway only and when it gets down, the hosts should not fall back to use the WAN gateway.
Everything is fine as long as the OpenVPN Gateway is up, all hosts are using it. As soon as it gets down, the hosts revert back to WAN which is okay, but also 192.168.2.200 which is not okay. It is using 192.168.2.1 (a bridged interface with 2x physical LAN nics) as gateway.
Any ideas?
-
Use the advanced options to mark the traffic and match/block it in floating rules. There's also this ""Skip rules when gateway is down".
-
Where exactly is the option to mark the traffic? I put the source IP into floating as well but to no avail.
-
I said in advanced options.
-
Use the advanced options to mark the traffic and match/block it in floating rules. There's also this ""Skip rules when gateway is down".
Skip rules will bring the whole internet access down when the VPN is not up, also it is not always certain that this works because pfsense doesn't always report back the right gateway state of the VPN.
How do I mark the traffic? I suppose you mean the advanced options within the rule? What do I have to put in there to mark it?
-
I suppose you mean the advanced options within the rule? What do I have to put in there to mark it?
Obviously. Does not matter what you put there. Something to match later on the floating rule via the other box.
-
could you state an example maybe? i'm pretty new to pfsense and firewalling in general.
-
Okay I found a solution and want to share it:
I have a bridge with LAN + LAN2. I put all those that may have access to OpenVPN & WAN to 192.168.0.0/24 (LAN) and the host that only may access OpenVPN to 192.168.1.0/24 (LAN2). Then I added NAT rules that allow LAN to access both OpenVPN+WAN and then only added a another rule for LAN2 to access the OpenVPN interface only.
That did the trick: whenever the OpenVPN connection goes down, LAN still has access to WAN but LAN2 doesn't.
-
Congrats. So, you did set up an absolutely pointless and unwanted bridge only to unbridge it later on via stupid NAT hack. Wonderful. Rocks. Awesome. Yay.