VPN kill switch for single machine or IP address range on pfsense

There are obviously LOTS of ways to do this in pfsense.  This is just the way that I found, which seems to work.

This rule should prevent an individual machine from "talking" using the default non-VPN WAN connection.  This will prevent it from sending any traffic if the VPN goes down.

 Go to Firewall/Rules/Floating

  • Action: Block
  • Quick: Checked
  • Interface: WAN
  • Direction: any
  • Address family: IPv4
  • Protocol: Any
  • Source: Single host or alias / [set local IP address of host here i.e. 192.168.1.100]
  • Destination: any
  • Description: enter any description here [i.e. "Block this IP from using non-VPN WAN"] 
  • Click "Save"

Obvious notes:

-  This only really works if the machine in question uses a static IP address.

-  You can define multiple rules for different devices.

-  You can set the rule to block a range of IP addresses by using "Network" instead of "Single host".

This approach does not use policy-based routing and does not decide which machines use the VPN and which don't.  It just forces all traffic from a machine through the VPN, else the traffic gets blocked.

Comments

Post a Comment

Popular posts from this blog

Wiring an ecobee3 without the G wire (G-wire, fan wire)

Note: this post has nothing to do with the dreaded "C-wire" that is required to run an ecobee.  If you're looking for that, go elsewhere. One of the more frustrating items for a heating/cooling system is the sheer number of possible ways to set it up.  Sure, there are "standard" ways, but there are also always other ways. We had a new furnace installed not long ago.  However, there were not enough wires run to the thermostat to support the additional A/C system.  The cable had only enough wires for heat-only operation. To make it work, the installers should have run a new cable, but they didn't.  Instead, they disconnected the G (fan) wire, and used it for Y (cold call) instead.  This led to an atypical installation that lacked a G (fan) wire at the thermostat. Note it still worked.  The thermostat sent the W (heat) and Y (cold) signals, and the furnace controlled its own fan.  No worries, thanks to them thar new-fangled furnace, y'all. ...
Read more

Hiren's Boot CD HBCD menu missing when booting on Vaio Z3

I wanted to back up my Z3 using Hiren's Boot CD .  I have done this before, and it worked well. (I recommend Image For Windows, available on Hiren's, but you should buy a licence.  IFW seems to be one of the only programs out there that can actually do a bare metal restore.) Oddly enough, when I booted the Z from the USB stick, I did not see Image for Windows.  In fact, I did not see any programs at all.  Mini Windows XP ran fine, but all the programs were missing! Scrounging around the File Manager turned up nada.  It looked like the USB stick was not there, even though the machine had booted from it just fine. The conflict in my case was an SD card that I had added to the system.  It seems Mini XP got confused after boot and replaced the USB stick drive with the SD card.  XP was not capable of reading the SD card owing to the large capacity, and essentially got stuck, unable to locate or load any of the Hiren's apps. Removing the SD card (a...
Read more

Parts, upgrade and general information for the WLtoys L959 RC buggy

Update:  L959s are still available new as of July 2020; all other models discontinued.  Parts are now generally restricted to Aliexpress.  Still a good entry-level model for those interested but not willing to spend a lot up front. Update:  There is a WLtoys L959 parts store here , but it's unclear if it's actually run by WLtoys. After wading through 50 pages and counting of people discussing the WLtoys L959 buggy, I've decided to summarize the thread so that others don't need to do the same. Note I am not dissing the RCGroups community, without which this list would not exist.  However, the information is - at best - organized ad hoc and is very difficult to read and understand. Hopefully this version is more immediately useful. This information is not intended to be very pretty, and Blogger is actively preventing me from cleaning it up.  But I've tried to include every relevant link, picture and posting that I could find. If you know any...
Read more