There are obviously LOTS of ways to do this in pfsense. This is just the way that I found, which seems to work.
This rule should prevent an individual machine from "talking" using the default non-VPN WAN connection. This will prevent it from sending any traffic if the VPN goes down.
Go to Firewall/Rules/Floating
- Action: Block
- Quick: Checked
- Interface: WAN
- Direction: any
- Address family: IPv4
- Protocol: Any
- Source: Single host or alias / [set local IP address of host here i.e. 192.168.1.100]
- Destination: any
- Description: enter any description here [i.e. "Block this IP from using non-VPN WAN"]
- Click "Save"
- This only really works if the machine in question uses a static IP address.
- You can define multiple rules for different devices.
- You can set the rule to block a range of IP addresses by using "Network" instead of "Single host".
This approach does not use policy-based routing and does not decide which machines use the VPN and which don't. It just forces all traffic from a machine through the VPN, else the traffic gets blocked.