Hello.
I have 3 Gateways - my WAN to the ISP and two OpneVPN interfaces.
When a VPN is down, my client that is sent to this VPN via a firewall rule automatically connects to my WAN directly. How can I change the behaviour that when an assigned Gateway is down to block the traffic?
In my firewall rule list I have all clients going to VPN1 and a rule later I have them sent to VPN2, but they go to WAN instead.
I found “Skip rules when gateway is down” in System/Advanced/Misc, but am uncertain how this is supposed to work.
Many thanks in advance for any help!
SOLVED: Here is an excellent video explaining how to achieve this:
https://youtu.be/ulRgecz0UsQ?feature=shared
Thanks to all for your help.
It’s been a while for me and I don’t have access to my pfsense ATM but I recall there is an option to tag packets.
So you tag your packets that’s going through the VPN as “VPN_packet” under firewall rules and on the WAN section you create a rule the blocks all packets tagged with “vpn_packet”
Alternatively if you are not using policy based routing and your entire subnet goes through a VPN. Just go you your outbound nat and remove the wan entries to that subject and only leave the VPN gateways configured.
This is the best video I’ve seen on the topic. Hopefully it helps you.
https://www.youtube.com/watch?v=ulRgecz0UsQ
you just need to “tag” VPN’d gateway traffic with something unique. then in the floating tab, make a block rule thru WAN for any traffic tagged for the VPN gateways
I would set up my outbound NAT rules to where that client only has your vpn wan as the outbound NAT rule. So if the vpn goes down, there isn’t even another route for it to take.
Les’s chance for leakage if there isn’t even an outbound NAT rule to your WAN.
You need an alias list for the devices you want behind your VPN, then set up rules like this:
https://ibb.co/bgdsckY
I believe my rules route out VPN gateway and rules under since it’s top down is blocked to wan.
I actually now have wireguard on my phone feeding into wireguard on pfsense then back out mullvad wireguard.
My docker network is forced through vlan that can only exit through VPN.
Skip rules when gateway is down should have your VPN1 rule be skipped if the gateway is down. You need gateway monitoring enabled on it so it can be marked as down. You’d also need to configure outbound NAT appropriately.
If you definitely don’t want them going out WAN regardless of any situation, put a block rule under your VPN2 rule for blocking traffic out the default gateway from those sources.
Best answer, many thanks.
Yes, I think this is the way to do this.