UTM9: home . Noob question on routing/access

Hi and welcome,

Are the IP addresses related? Are they DNS based servers?

1000 servers is an exceptionally large list to enter by hand.

Hi rfcat_vk

many thanks for the response.

They are not related. They are VPN servers from NordVPN.com.

At the moment, my internal machine just randomly selects one from the list and connects to that. I don't want that machine to connect to the internet if the VPN drops out.

If its not possible to do (easily) , then that's fine.  I will just select a handful of servers and work with those.

Mike

This will block all web traffic not on a whitelist:

Create a filter profile for that machine's ip address, and a different filter profile for everything else.   Special machine filter profile is priority one to act as an exception that takes precedence over the larger network block.

In the filter policy for that machine, on the first page block all categories including uncategorized and categorization profile.  On the second page, allow specific sites using website allow list using url or regex.  Alternative is to create a website exception to assign a tag and then put the tag onto the filter policy.

But I don't think that gets you to your goal, which is to force traffic through the vpn session.  This migjt work if you know the vpn ip range:

You create web filtering skip lists to ensure the special machine's IP does NOT use the web proxy in either mode.  This causes the traffic to go through the firewall layer.  (See my UTM architecture post in the WIKI section of this forum)  Then you create firewall rules to block any traffic from that source ip other than the target vpn address block.  

You will need to invoke a standard mode web proxy at the other end of the tunnel for the machine to browse the web. But when the tunnel is down, no internet at all.

This will block all web traffic not on a whitelist:

Create a filter profile for that machine's ip address, and a different filter profile for everything else.   Special machine filter profile is priority one to act as an exception that takes precedence over the larger network block.

In the filter policy for that machine, on the first page block all categories including uncategorized and categorization profile.  On the second page, allow specific sites using website allow list using url or regex.  Alternative is to create a website exception to assign a tag and then put the tag onto the filter policy.

But I don't think that gets you to your goal, which is to force traffic through the vpn session.  This migjt work if you know the vpn ip range:

You create web filtering skip lists to ensure the special machine's IP does NOT use the web proxy in either mode.  This causes the traffic to go through the firewall layer.  (See my UTM architecture post in the WIKI section of this forum)  Then you create firewall rules to block any traffic from that source ip other than the target vpn address block.  

You will need to invoke a standard mode web proxy at the other end of the tunnel for the machine to browse the web. But when the tunnel is down, no internet at all.

many thanks Douglas.

I have done what you suggested in the first part of your post, which works a treat, but I'm not sure I grasp what your suggesting in the second part (that's why I'm a noob I suppose !).

I take it its not possible to to have a firewall rule so my  machine can only access ports 443 & 1194, along with what I've already done with the filter profile ? (well I tried and it doesn't seem to block the other ports)

Is that because the filter profile comes first, and therefore the firewall rule is ignored?

Mike