Project

General

Profile

Actions

Feature #15582

open

Add option to automatically create rules to block VPN networks from existing via WAN interfaces

Added by Andrew Almond 6 months ago. Updated 6 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Rules / NAT
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Default

Description

It's a known issue that traffic intended for VPN networks can be sent out the WAN interfaces if the VPN tunnel is down, which causes states to be established on the WAN interfaces. This then delays or prevents traffic from being sent over the VPN tunnel when it is re-established.

The recommended solution is to create floating rules that block all traffic from private/VPN networks from going out the WAN interfaces. I've done this and it seems to help.

It would be great if there was an option either globally or per-interface that would create the rules automatically, similar to the Block private and Block Bogon options. Maybe it could use a built-in IP alias, which the user could then customize as needed?

On a related note, the VPN leakage issue and floating rule setup needs to be documented so that people are aware of this issue.

I've only ever seen this issue mentioned twice, once by Jim Pringle and and think the other was a Strongswan forum somewhere.

Actions

Also available in: Atom PDF