Netgate SG-1000 microFirewall

Author Topic: Need help with firewall rule to block traffic on wan excecpt VPN tunnel  (Read 477 times)

0 Members and 1 Guest are viewing this topic.

Offline nils92

  • Newbie
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
Hi guys,

I need some help as I'm not a professional with pfsense by any means I'm currently running 3 OpenVPN clients on my pfsense box and route websites/clients through them via firewall rules put in the Lan tab which works fine.


Now I'm wondering what would be the best approach to block all traffic on my WAN network e.g. going via my ISP except what is needed to establish the VPN tunnels?


Any help appreciated.

Offline isolatedvirus

  • Jr. Member
  • **
  • Posts: 83
  • Karma: +10/-0
    • View Profile
If you're trying to deny outbound access to the internet except for VPN traffic you can use policy based routing through the use of gateways in the advanced portion of firewall rules.

Offline nils92

  • Newbie
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
That's pretty much what I did so far added a deny rule at the end and made aliases for hosts etc that I want to go through the VPN so far it seems to work fine with having 3 different tunnels.

Only thing that goes directly via WAN seems to be system services and my Squid proxy not sure how I can go about to force it via VPN as well

Offline isolatedvirus

  • Jr. Member
  • **
  • Posts: 83
  • Karma: +10/-0
    • View Profile
if you have a specific tunnel gateway you want to route all traffic through you can create an alias. In the alias include the hosts that would normally traverse that vpn and include the firewall itself.

Offline isolatedvirus

  • Jr. Member
  • **
  • Posts: 83
  • Karma: +10/-0
    • View Profile
ok i just tested this. and it doesnt work.

It appears that squid will ignore the policy based routing and default to sending traffic out the default gateway.

There are 2 workarounds. 1 requiring squid to be relocated downstream, the second being changing a default gateway.

If you want to, you can logically set up your network such that:

LAN Segments -> Squid proxy -> PFsense firewall.  This will force traffic to obey your policy based routes, but if youre doing source PBR, your PBR will break. Which would require you to route based on destination, or by port/protocol.

the second workaround is to go to:
System -> Routing -> Gateways and change your default gateway to one of your vpn providers. This will force traffic that squid intercepts out the VPN of choice. The downside here being if you want to have certain websites route through different VPN providers this breaks as it will force all traffic that squid is proxying out the new default gateway.

Personally i run squid in transparent mode, on http only. My setup has hosts/websites that i DO NOT want to protect through the vpn. If a host matches my host_vpn_bypass rule it gets dropped direct to wan no matter what the destination is. If ANY host matches a destination listed in my url_vpn_bypass then it gets dropped direct out the wan. This would be accomplished with the PBR rules, PLUS adding the aliases in the proxy bypass section of squid under Services -> Squid Proxy Server.

Edit:
Spelling, phrasing, and added more detail.
« Last Edit: April 21, 2017, 07:23:23 am by isolatedvirus »