Sunday, February 14, 2021

VPN kill switch for single machine or IP address range on pfsense

There are obviously LOTS of ways to do this in pfsense.  This is just the way that I found, which seems to work.

This rule should prevent an individual machine from "talking" using the default non-VPN WAN connection.  This will prevent it from sending any traffic if the VPN goes down.

 Go to Firewall/Rules/Floating

  • Action: Block
  • Quick: Checked
  • Interface: WAN
  • Direction: any
  • Address family: IPv4
  • Protocol: Any
  • Source: Single host or alias / [set local IP address of host here i.e. 192.168.1.100]
  • Destination: any
  • Description: enter any description here [i.e. "Block this IP from using non-VPN WAN"] 
  • Click "Save"

Obvious notes:

-  This only really works if the machine in question uses a static IP address.

-  You can define multiple rules for different devices.

-  You can set the rule to block a range of IP addresses by using "Network" instead of "Single host".

This approach does not use policy-based routing and does not decide which machines use the VPN and which don't.  It just forces all traffic from a machine through the VPN, else the traffic gets blocked.

No comments:

Post a Comment