pfSense Gold Subscription

Author Topic: Mission critical pfSense firewall activities thru VPN ONLY?  (Read 241 times)

0 Members and 1 Guest are viewing this topic.

Offline V3lcr0

  • Full Member
  • ***
  • Posts: 209
  • Karma: +8/-0
    • View Profile
Mission critical pfSense firewall activities thru VPN ONLY?
« on: December 08, 2017, 05:21:59 pm »
I want to make sure all my pfSense software updates and any other communication for my pfSense firewall go thru my VPN only. How do I configure this?

What I think are my relevant configuration to my questions are:
*I do not have any DNS servers assigned in General -> DNS Server settings
*Using Unbound (DNS Server Override & Disable DNS Forwarder are not checked in General -> DNS Server settings)
*In my outbound NAT I have my default 127.0.0.0 going thru VPN only
*DNS Unbound has its "Outgoing Network Interface" set to my VPN interface ONLY

I have my seperate VLANs working correctly i.e. Apple TV going thru WAN, others go thru my VPN. My question is specific to any pfSense software updates or any other firewall "home calling".

Eternally grateful to any thoughts...

Thanks V

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21495
  • Karma: +1458/-26
    • View Profile
Re: Mission critical pfSense firewall activities thru VPN ONLY?
« Reply #1 on: December 13, 2017, 02:44:14 pm »
Outgoing requests from the firewall will follow the default gateway. For updates to go over the VPN, the firewall's default gateway would have to be (at least temporarily) changed to be the VPN.

The exact method for that varies by VPN
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline V3lcr0

  • Full Member
  • ***
  • Posts: 209
  • Karma: +8/-0
    • View Profile
Re: Mission critical pfSense firewall activities thru VPN ONLY?
« Reply #2 on: December 14, 2017, 10:51:14 am »
I have managed to get my Lan traffic to go thru VPN, however my default gateway is still my WAN. In earlier research I think this was advised....

I currently use PIA...my wish list would be that all my downloads(pfBlocker lists...some are hourly), pfSense updates, package updates including Snort rules(every day I think...could be weekly) be updated thru VPN.

Is it a simple case of changing my default gateway to VPN?

Your point that "temporarily" change and prior experience with initial setup tells me its a little more involved. I couldn't find specifics...

Any help would be greatly appreciated.
V

Offline V3lcr0

  • Full Member
  • ***
  • Posts: 209
  • Karma: +8/-0
    • View Profile
Re: Mission critical pfSense firewall activities thru VPN ONLY?
« Reply #3 on: January 04, 2018, 02:27:37 pm »
I am still trying to find a good solution to secure my software updates(pfsense and packages) and "Cron like" events(Snort, pfBlocker rule/list updates).

I get how a temporary change might be practical for software updates but for "Cron like" events it likely won't work.

Any suggested best practices or thoughts?

Happy New year and thanks again for pfSense and the package work!!!