OpenVPN kill switch for a segment of the pfSense subnet (not entire router)



  • Here is my scenario.  I have two subnets:

    172.16.1.0/25
    172.16.1.128/25

    .0/25 connects directly to the internet
    .128/25 connections through a VPN connection

    When the VPN goes down, I want traffic in the .128/25 segment to lose connectivity without bringing down the entire .0/24 subnet.

    I know that for the entire router kill switch one just uses floating rules, but that's not an option as I want to retain connectivity for the .0/25 segment.

    The only thing I've had success with that appears to be working is disabling outbound NAT for the .128/25 segment over the WAN interface so that if the VPN goes down NAT doesn't occur for anything going out from .128/25.  However, I worry this means the packets are still being sent out to the internet even if there is no way to route them back.

    Is this an acceptable solution or is there risk that with the packets still being sent out to the net with a return IP of, say, 172.16.1.150, are going to expose a "security hole"?


  • Rebel Alliance Developer Netgate

    It's a bit tricky, but you can probably pull that off a couple different ways, the first that comes to mind is:

    1. Assign the OpenVPN instance as an interface (assign, enable, set to 'none' for addresses, save, then re-save the VPN instance to reset it)
    2. Add a rule at the top of the local interface for that .0/25 segment using the VPN interface gateway only
    3. System > Advanced, Misc tab, check "Skip rules when gateway is down"


Log in to reply