Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN kill switch for a segment of the pfSense subnet (not entire router)

    Scheduled Pinned Locked Moved OpenVPN
    2 Posts 2 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      life359
      last edited by

      Here is my scenario.  I have two subnets:

      172.16.1.0/25
      172.16.1.128/25

      .0/25 connects directly to the internet
      .128/25 connections through a VPN connection

      When the VPN goes down, I want traffic in the .128/25 segment to lose connectivity without bringing down the entire .0/24 subnet.

      I know that for the entire router kill switch one just uses floating rules, but that's not an option as I want to retain connectivity for the .0/25 segment.

      The only thing I've had success with that appears to be working is disabling outbound NAT for the .128/25 segment over the WAN interface so that if the VPN goes down NAT doesn't occur for anything going out from .128/25.  However, I worry this means the packets are still being sent out to the internet even if there is no way to route them back.

      Is this an acceptable solution or is there risk that with the packets still being sent out to the net with a return IP of, say, 172.16.1.150, are going to expose a "security hole"?

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        It's a bit tricky, but you can probably pull that off a couple different ways, the first that comes to mind is:

        1. Assign the OpenVPN instance as an interface (assign, enable, set to 'none' for addresses, save, then re-save the VPN instance to reset it)
        2. Add a rule at the top of the local interface for that .0/25 segment using the VPN interface gateway only
        3. System > Advanced, Misc tab, check "Skip rules when gateway is down"

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.