Hello, I use a vpn service called IPVanish for my vpn needs. I have IP Vanish setup and connecting in the PFSense OVPN service section. What I want to do now is take my IPVanish Client Connection (Description: IPVANISH - YVR 01) and set it up so certain IP addresses, for this example lets say 172.16.1.13 forwards all of their traffic over the vpn. Preferrably if the VPN loses connection I want a kill switch to engage and no traffic from 172.16.1.13 to exit.
Can someone please provide me detailed instructions of how to acheive this?
As a secondary after thought, is there a way also to do this but only on specific ports for an entire IP range?
Thanks, I really appreciate your guys’ help!
EDIT: Thanks everyone who responded! I’ll try this out in a few hours and see how it goes otherwise I will wait on Determined_P who is writing up a guide to do similar things.
Finishing a write up on this tonight! I will tag you here once I am finished.
Quick and dirty:
If you want just one ip to go over it, you need to set a rule under LAN with the source being the ip you want to route over the VPN. Under advanced, select the gateway that corresponds with the VPN client. Next, you can tag the traffic with something like “NO_WAN”. Now create a floating that applies to the WAN interface to block traffic with your tag. This should keep it from getting out if your gateway is down.
For your first question, you want two firewall rules on the LAN interface. In my case I have something close to what you are striving for, but I allow all of my LAN to connect through the VPN, if it wants to (pfSense in my case is not my main router; it’s more of an application server and VPN client).
You can tweak the rule so your Source is just the one IP, or a list of IPs, subnets, whatever. The rules are in this order, just about near the top, above the default LAN rules.
Rule 1: Pass on interface LAN (IPv4/Any), to any destination, Gateway is PIA_VPN (I use Private Internet Access). Selecting a specific gateway is under advanced settings below.
Rule 2: Reject (you can Drop if you want) on interface LAN (IPv4/Any), from single host/IP x.x.x.x, to destination Any.
So if the VPN is disconnected, the machine x.x.x.x is unable to get online at all. I could probably refine this better so it can still get online to get system updates and whatnot, but I can’t be bothered.
When you’re done creating the rules, apply the rules, of course, then test with the VPN offline, then online. Use whatismyip from your client machine to see if you’re exiting to the Internet through the VPN, as intended.
As for your second question, I’m not quite understanding, can you elaborate?
Very thorough.