Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Force traffic to flow via VPN adapter

    Scheduled Pinned Locked Moved Firewalling
    3 Posts 2 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      Norbert78
      last edited by

      Dear forum,
      as you could read in my previous post, I set up a pfsense as a VPN gateway and after some struggle with NAT this is now working fine.
      However, there is one thing that I want to change:
      In its default configuration the pfsense routes all traffic simply from LAN to WAN. As soon as the VPN is up, the routes that are pushed by the server, change that in a manner that all traffic is routed from LAN to OpenVPN-GW.
      However, if the VPN tunnel disconnects, pfsense will again route via the WAN interface and this is a thing that I want to block. In case the VPN goes down, all clients shall be offline.
      I played around with the firewall rules but I did not manage to configure it like this. What I managed to do is a configuration of floating rules to allow DHCP, DNS and the connection to the VPN server. However, what I'm looking for is a way to tell pfsense that all traffic from LAN to the OPENVPN adapter is allowed while all the other traffic from LAN to WAN shall be blocked.
      I guess that there are various ways to achieve this an I would be grateful if somebody would have an idea for me on where to start.
      Thanks
      Nobert

      1 Reply Last reply Reply Quote 0
      • N
        Norbert78
        last edited by

        After a night of debugging, I finally figured it out myself :-) In case anybody has the same issue, here is the solution

        1. Disable NAT for the LAN => WAN direction
        2. Add a policy rule for the LAN that sets the gateway of the VPN tunnel for all traffic of the LAN if
        3. Add a floating rule to quick block all traffic from LAN via the default gateway.

        I have no idea why I had to add the 3rd rule but without it does not work as expected. There seems to be an inherent pass rule in the system that allows traffic to flow from the LAN to the WAN default gateway.

        Enjoy your weekend!
        Norbert

        1 Reply Last reply Reply Quote 0
        • G
          gcu_greyarea
          last edited by

          Hi Norbert,

          I found this guide very useful when I was testing a similar setup.

          https://forum.pfsense.org/index.php?topic=106305.0

          Have look at Bullet Points 9 & 10 about tagging the traffic for NO_WAN_EGRESS and the using a floating rule to prevent only selected traffic from using the WAN interface.

          In your post you described a method to block all LAN Traffic to WAN, but you may not always need that…

          This post was also helpful:
          https://www.infotechwerx.com/blog/Prevent-Any-Traffic-VPN-Hosts-Egressing-WAN

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.