Results 1 to 10 of 10
  1. #1
    Newbie
    Join Date
    Dec 2018
    Posts
    8

    Default Allow Internet access only if Tunnel is up

    I'd like to do just what the title says: I've defined a sequentially-assigned list of hosts (via IP) that are included in the route through the Tunnel and it works great. They only route through the tunnel and everyone else bypasses that Tunnel to route from the local router's gateway only.

    However, I'd like to block any internet access for these hosts if that Tunnel VPN connection should drop. No Tunnel = no internet access but only for those hosts. Any help would be appreciated. Coming from a Cisco world here and I'm learning my way around this gui.

  2. #2
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    23,277

    Default

    Use your firewall, source address, list of IPs, destination interface, External

    Poof, no more TCP or UDP traffic unless it's over the tunnel. Though don't forget to toss in any other WAN links you need to seal up, I'm assuming you only have 1 internet connection.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  3. #3
    Newbie
    Join Date
    Dec 2018
    Posts
    8

    Default

    I'm assuming another rule is needed above this that explicitly allows traffic over the tunnel for those hosts. Thanks for your help.

  4. #4
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    23,277

    Default

    Quote Originally Posted by Tuck View Post
    I'm assuming another rule is needed above this that explicitly allows traffic over the tunnel for those hosts. Thanks for your help.
    Above or below, as long as it's above your general block rule it'll work.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  5. #5
    Newbie
    Join Date
    Dec 2018
    Posts
    8

    Default

    Quote Originally Posted by sky-knight View Post
    Above or below, as long as it's above your general block rule it'll work.
    Works great. Thanks again for the help, Rob. While I have your eyes here, have you had any luck blocking ads and commercials on youtube?

  6. #6
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    23,277

    Default

    Quote Originally Posted by Tuck View Post
    Works great. Thanks again for the help, Rob. While I have your eyes here, have you had any luck blocking ads and commercials on youtube?
    Nope, they're welded into the video stream now and next to impossible to separate. If you don't like ads on YouTube, your only option is a YouTube Red subscription.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  7. #7
    Newbie
    Join Date
    Dec 2018
    Posts
    8

    Default

    I was able to do it with uBlock Origin pretty much everywhere - except IOS devices. There you've got Apple's implementation of adblocking (through a subscription or purchased app) but that doesn't really work either. Thanks again. I'll post here the solution to the original post with screenshots.

  8. #8
    Newbie
    Join Date
    Dec 2018
    Posts
    8

    Default

    Solution, credit to Rob:

    1) Create the VPN Tunnel using the Tunnel App, enable and connect.
    2) Group the devices that must route over the tunnel by tagging each with a common name - using the "Devices" link at the top.
    3) Open the firewall app and create 2 rules for the tagged devices; one that allows routing over the tunnel, and one that blocks all routing over the external interface.

    Screen Shot 2018-12-16 at 8.49.30 AM.png
    Screen Shot 2018-12-16 at 8.49.47 AM.png

  9. #9
    Untanglit
    Join Date
    Dec 2018
    Posts
    18

    Default

    Interesting as I took a similar approach, but wanted my setup to default all clients including new ones over the tunnel. How I did that was to setup my bypass, route normally rules using IP addresses (tags would also work) first and then the last rule on Tunnel VPN is to route any interface over the tunnel. Then on the firewall app, the 3rd to last rule is to allow certain clients (again using IP addresses or tags) over the external interface; the 2nd to last rule is allow any interface over the tunnel; and the very last rule is to block any interface destined for external. Probably not the most elegant, but it works so long as the order of the rules is correct.

  10. #10
    Untangler
    Join Date
    Dec 2018
    Posts
    97

    Default

    Thanks for this thread!

    I was wondering how to accomplish this feat and now I know.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2