Announcement

Collapse
No announcement yet.

Block a client is a tunnel VPN is down

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Block a client is a tunnel VPN is down

    Hi! I have a client that uses a tunnel VPN. I want to block this client from reaching the internet if and when the VPN connection goes down. Where and how do I this? Filter rules or Firewall app?

    Thanks in advance!

  • #2
    I use filter rules with tag 'tunnel' for every device going out tunnelvpn interface:

    1st rule - allow tagged hosts to exit tunnelvpn interfaces
    2nd rule - deny tagged hosts to exit any other wan interface (and for me also every internal network)

    Port forward rules:
    1. tagged hosts DNS Traffic (udp/tcp, 53) forwarded to DNS of vpn provider

    Tunnel rules.
    1. Tagged hosts route through tunnel
    2 vpn provider dns (ip) route through tunnel

    Comment


    • #3
      Thank you for this.

      Comment


      • #4
        Firewall App is what you use. There are several methods to select the client, username or IP address, and then simply block traffic destined to any interface that isn't OpenVPN.
        Rob Sandling, BS:SWE, MCP, Microsoft Certified: Azure Administrator Associate
        NexgenAppliances.com
        Phone: 866-794-8879 x201
        Email: [email protected]

        Comment


        • #5
          Originally posted by sky-knight View Post
          Firewall App is what you use. There are several methods to select the client, username or IP address, and then simply block traffic destined to any interface that isn't OpenVPN.
          Why not filter rules? As per that thread the other day, firewall does not block ICMP. If you make it a filter rule, does it not block *everything* before it even touches the other apps?
          I've ran this for a while now and I cant see any traffic escaping out other interfaces. Which is exacly what I need for these devices.

          But if there is a better way I really want to know.

          Comment


          • #6
            Originally posted by ccdmnk View Post

            Why not filter rules?
            Limited criteria. Filter Rules operate at layer 3, so your only available criteria are layer-3 things: IP addresses, ports, interfaces. If you want to create the rule using something like a hostname, username, &c., you have to use the Firewall app.

            If you're just using an IP address, Filter Rules are definitely preferable.
            Græme Ravenscroft • Technical Marketing Engineer
            ('gram', like the unit of measurement)
            he/him
            Please don't reboot your NGFW.
            How can we make Arista ETM products better?

            Comment


            • #7
              Thanks for your replies. I created two rules in Filter Rules and they're working as intended. I used source IP address and destination interface set to the tunnel for the allow rule and then a block rule from same source IP to any WAN.

              Comment

              Working...
              X