pfSense Kill Switch??

Discussion in 'privacy technology' started by blusky, Jun 14, 2015.

  1. blusky

    blusky Registered Member

    Joined:
    Jan 29, 2011
    Posts:
    15
    Before I start I would like to thank Wilders Security Forums for providing a great place to learn and research. Thanks to mirimir for his great guides and post which helped me immensely in setting up my new pfSense router.

    My setup ended up a little different than mirimir's guides because I was able to get the help of a friend , who was way more knowledgeable than I but did not have a lot of experience with pfSense. I knew I was in trouble when mirimir posted that my setup would be complicated, even for him.

    This is my pfSense setup:

    Cable modem---> pfSense box (8 core Intel Atom Proc. 16GB memory)--->24 Port Gigabit Switch--->
    Apple Time Capsule router( wifi only)---> 22 devices connecting to either the 24 Port switch or through Wifi. This includes windows 7, windows 8.1, Imac's and Iphones, Roku's and Netflix connections.

    Out of all the connections I needed just 2 windows computers to be setup through the VPN, the others through my ISP. So the way it worked for me , I'm sure there must have been an easier way, was to setup in Firewall--> Aliases--->IP
    I listed the local Ip's of all the non VPN computers and devices. Seems to be working well.

    So my pfSense box acts as a VPN Client for both PC's that do not use the VPN.

    What I am trying to do is create a Kill Switch so that when the VPN goes down both the computers do not continue to access the internet through my ISP.

    I tried using Firewall--> Aliases--> IP and using the ip's of the 2 computers that don't want routes if VPN is down. This did not work.

    Any ideas or suggestions on how, if possible, to set this up in pfSense would be greatly appreciated.
     
  2. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    There is no "kill switch" per se in my pfSense setups. For the pfSense VPN-gateway VMs, it's just that the VPN tunnel is the only Internet gateway for LAN. If you want some of your devices to use the VPN, and others to connect directly, just set up two or more vLANs in pfSense. For example, specify the VPN tunnel as the Internet gateway for vLAN1, and WAN as the Internet gateway for the rest of the vLANs. You could even have multiple VPNs connected in pfSense, and route each to one or more vLANs.
     
  3. blusky

    blusky Registered Member

    Joined:
    Jan 29, 2011
    Posts:
    15
    Ok, I had not thought of that, setting up two VLANS. I did read the pfSense book but there was quite a lot of info that was over my head but I will definitely look into creating two VLANS. I just read in the pfSense book that you cannot create VLANS with an unmanaged switch, unfortunately mine is a Trendnet 24 port unmanaged switch.

    I did not mention this but I also am using the VPN Server in pfSense to connect to my Media server remotely. I installed the OpenVPN client in both a Windows 7 laptop and an Ipad. It works pretty well.

    I will be traveling soon so I do not want to do the changes yet , but will read the pfSense book and see how I can do the VLANS that you have recommended.

    In the mean time, is there a way to create a Killswitch from the two VPN computers side, Windows 8.1 and Windows 7. A program or a firewall of sorts?

    On another note, I have not installed any packages in pfSence but am thinking of installing Squid3 , Squid Guard and Snort and maybe the Antivirus. I was wondering what your opinion is on this and the other security packages available for pfSense.

    I really appreciate your input, reading your posts convinced my to try pfSence and and am glad I did. Thank you.
     
    Last edited: Jun 15, 2015
  4. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    You don't need managed switches for vLANs. Netgear smart switches are vLAN capable, and don't cost much.

    Another approach would be running two pfSense VMs in the Atom box. It's easily capable of multiple VMs. One pfSense VM would run the VPN client, and provide LAN (LAN1, let's say) for the two devices that need it. The other would just be a firewall, and provide LAN (LAN2, let's say) for the non-VPN devices. But you will need another NIC card for LAN2. Also a small switch for LAN1, with the big one for LAN2.

    You could easily run other stuff in the Atom box, given all of its CPU cores and RAM. But it would be better to wait until you have the basics finished.
     
  5. blusky

    blusky Registered Member

    Joined:
    Jan 29, 2011
    Posts:
    15
    Thanks mirimir, will look into the Netgear switch. My pfSense box is a Supermicro MBD-A1SRM-LN7F-2758 which has a total of seven Ethernet port of which I am only using two at the moment , Wan and Lan.

    I am not versed at all with FreeBSD but will start reading on how I could install the VMs on it.

    As for the packages, yes I will wait till I have everything running correctly then experiment with different packages.
     
  6. Paranoid Eye

    Paranoid Eye Registered Member

    Joined:
    Dec 15, 2013
    Posts:
    174
    Location:
    io
    Easiest way I found was to install free comodo firewall and set up firewall rules

    task>advanced settings>security settings>firewall>global rules

    click that little down arrow and hit add

    action = Block
    protocol = IP
    direction = In or Out
    description = Real IP address

    source address section
    type: ipv4 address range
    start ip: 042.000.000.000 (46 being your real isp ip address)
    end ip: 049.000.000.000 (49 being just safe and covering your isp ip range although that should not change if your isp gives one static/same ip )

    destination section
    type: any address

    ip details:
    ip protocol: any

    Basically as long as you have a static ip address from your isp, you have just created a comodo firewall rule to tell your pc to block say your real ISP IP from ever connecting to the internet, this way once pfsense connects to your VPN provider only that IP maybe 057.000.000.000 etc so it connects fine since its not being blocked.

    What you can do is verify your real isp ip is blocked so connect your cable modem direct to that pc and you should then find internet access is blocked (little yellow triangle on network adaptor) if you right click comodo firewall and select disable firewall, internet should then connect.

    I asked few places but no one could offer this simple fix when I asked for a kill switch for windows, had to just figure it out myself !

    I would recommend also using your VPN providers DNS settings (ask your vpn provider) or openic logless dns servers into your main if not all network adaptor settings under windows 8/10, this way if your using your vpn dns server it only allows internet access once its connected to your VPN in effect it acts like a kill switch but this only effects web browsing, torrents or other stuff may still use internet< this is important since DNS leaking can occur. you can visit ipleak.net to check if your vulnerable from ip/dns/torrent/web browser leaks or if its working at least.

    If you do want 100% peace of mind AirVPN I believe had the best pfsense guide on the net on there forums and had rules to stop dns and ip leaks but this was 3 years ago, I am content with mulvad and boleh for now there windows client software does ip/dns kill switching, can't fault there service but may try privatevpn or air once my sub expires :)
     
  7. blusky

    blusky Registered Member

    Joined:
    Jan 29, 2011
    Posts:
    15

    Thank you Paranoid Eye for your help. I am still looking for a temporary solution till I can do what mirimir had suggested. Unfortunately, I have a dynamic IP. The other issue I have is my pfSense box acts as a VPN client to connect to the VPN service, I do not have OpenVPN Client installed on both computers. Not sure if this will work for me.

    I will take a look at AirVPN's guides. Appreciate the help.
     
  8. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    I doubt that anything on the Windows boxes will help, because they just see the pfSense box. They're NATed from the pfSense WAN (your ISP) and "VPN" (your VPN tunnel) gateways.

    If your VPN service has a DNS server with a private IP address, which is reachable only through the VPN tunnel, you could maybe install an app that pings that DNS server, and shuts down the network interface if it becomes unavailable. But that would leak a lot.
     
  9. blusky

    blusky Registered Member

    Joined:
    Jan 29, 2011
    Posts:
    15
    Thanks mirimir,
    I thought it would be easy for a temporary fix but looks like its not. Appreciate your input.
     
Loading...