PFSense - Control access to specific networks - Prevent Certain LAN IPs from accessing WAN when OpenVPN goes down

NOTE: This is Not Checked by default.

• The description states: “By default, when a rule has a specific gateway set, and this gateway is down, rule is created and traffic is sent to default gateway.This option overrides that behavior and the rule is not created when gateway is down”.
• So when the VPN Gateway is down it puts a rule in but with the default gateway ruining the whole point.
• With this ticked suggest to set the Default allow LAN to any rule and Default allow LAN IPv6 to any rule to run if Source is NOT the VPN Alias.
  • So those hosts would have Internet when the VPN is up via the VPN.
  • When it goes down they lose Internet completely.

NOTE: This does not solve 2 problems:

1. DNS leaks. The pfsense firewall itself will send out DNS queries even if your method is applied;
   • If the client(s) in question are configured to solely use VPN provided DNS servers, this DNS traffic will also cease when the VPN goes down.
2. This method does not allow the creation of automated rules for VPN traffic itself so, for example, Amazon S3 will not work or will work intermittently, being “caught” by the default deny IPv4/IPv6 rule.