Hi
I have my ERL3 running a VPN client and I have a bunch of IPs on my network sent through that tunnel. Works great.
However, when the VPN disconnects for some reason, those IPs connect via the WAN. I don't want that to happen for some of these IPs - I want to block their internet access when the VPN is down - but I can't seem to figure it out. I've been trying to block traffic from those IPs from the LAN to WAN by creating a LAN_IN ruleset, then a rule to drop anything not going via VPN. But it's been ages since I set a lot of this up and I've kinda forgotten what I'm doing!
I thought this would be a common scenario but searches here and google haven't really found anything. There was one post on here where they used NAT masquarde rules but that seemed a bit odd to me (https://community.ubnt.com/t5/EdgeMAX/Block-LAN-IP-from-WAN-but-Allow-it-out-VPN/m-p/910070/highlight/true#M35346)?
Any pointers appreciated!
firewall {
all-ping enable
broadcast-ping disable
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
modify SOURCE_ROUTE {
rule 10 {
action modify
description "traffic from 10.0.1.83 to vtun0"
modify {
table 1
}
source {
address 10.0.1.83/32
}
}
rule 20 {
action modify
description "traffic from 10.0.1.86 to vtun0"
modify {
table 2
}
source {
address 10.0.1.86/32
}
}
rule 30 {
action modify
description "traffic from 10.0.1.61 to vtun0"
modify {
table 3
}
source {
address 10.0.1.61/32
}
}
rule 40 {
action modify
description "traffic from 10.0.1.46 to vtun0"
modify {
table 4
}
source {
address 10.0.1.46/32
}
}
rule 50 {
action modify
description "send m traffic via VPN"
modify {
table 5
}
source {
address 10.0.1.44/32
}
}
rule 60 {
action modify
description "send p traffic via VPN"
modify {
table 6
}
source {
address 10.0.1.39/32
}
}
}
name WAN_IN {
default-action drop
description "WAN to internal"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
enable-default-log
rule 1 {
action accept
description "vpn accept udp 443"
destination {
port 443
}
log disable
protocol udp
}
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
options {
mss-clamp {
mss 1412
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
description "Internet (PPPoE)"
duplex auto
pppoe 0 {
default-route auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
mtu 1492
name-server auto
password ***
user-id ***
}
speed auto
}
ethernet eth1 {
address 10.0.1.1/24
description Local
duplex auto
firewall {
in {
modify SOURCE_ROUTE
}
}
speed auto
}
ethernet eth2 {
address 192.168.2.1/24
description "Local 2"
duplex auto
speed auto
}
loopback lo {
}
openvpn vtun0 {
config-file /config/auth/vpn.ovpn
}
}
port-forward {
auto-firewall enable
hairpin-nat enable
lan-interface eth1
rule 1 {
description P
forward-to {
address 10.0.1.91
port 32400
}
original-port 32334
protocol tcp
}
rule 2 {
description "VPN Server"
forward-to {
address 10.0.1.91
port 5851
}
original-port 5851
protocol tcp
}
rule 3 {
description C
forward-to {
address 10.0.1.91
port 6690
}
original-port 6690
protocol tcp
}
rule 4 {
description S
forward-to {
address 10.0.1.91
port 4862
}
original-port 4862
protocol tcp_udp
}
wan-interface pppoe0
}
protocols {
static {
table 1 {
interface-route 0.0.0.0/0 {
next-hop-interface vtun0 {
}
}
}
table 2 {
interface-route 0.0.0.0/0 {
next-hop-interface vtun0 {
}
}
}
table 3 {
interface-route 0.0.0.0/0 {
next-hop-interface vtun0 {
}
}
}
table 4 {
interface-route 0.0.0.0/0 {
next-hop-interface vtun0 {
}
}
}
table 5 {
interface-route 0.0.0.0/0 {
next-hop-interface vtun0 {
}
}
}
table 6 {
interface-route 0.0.0.0/0 {
next-hop-interface vtun0 {
}
}
}
}
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name LAN1 {
authoritative disable
subnet 10.0.1.0/24 {
default-router 10.0.1.1
dns-server 10.0.1.1
lease 86400
start 10.0.1.38 {
stop 10.0.1.243
}
#static mappings removed
}
}
use-dnsmasq disable
}
dns {
forwarding {
cache-size 150
listen-on eth1
listen-on eth2
system
}
}
gui {
http-port 80
https-port 443
older-ciphers enable
}
nat {
rule 5000 {
description vpn
log disable
outbound-interface vtun0
protocol all
source {
}
type masquerade
}
rule 5010 {
description "masquerade for WAN"
outbound-interface pppoe0
type masquerade
}
}
ssh {
port 22
protocol-version v2
}
}
