Hiya,
Can anyone comment on the reliability of the 3rd Party VPN Kill Switch in router mode?
Since I will be using it mainly for a linux machine, should I setup something like iptables on my pc as well to stop dns/ip/packet leaks? Would my pc even be able to do something like this if the traffic is being routed to the VPN by the firewalla?
Or will Firewalla reliably work in edge cases and I should just leave it to do it’s thing?
Some examples I wonder about would be (assuming I am using router mode):
- VPN provider has an outage mid-use, but local ISP is still active, would there be any leaks before this is detected?
- Will the VPN be active the moment the Firewalla connects to the internet (assuming the pc is already on and waiting to connect), or will it take time to setup the VPN after connecting to the ISP, in which time traffic would not be going through the VPN?
- Any other network transition states or VPN outage/process crash scenarios etc
Any input is appreciated!
so for me the second my ISP goes down the VPN disconnects. Its pretty quick and then when restored it takes a few min to reconnect.
Hey,
Here is some more info from some not so great experiences that I’ve had, and what to watch out for: 1. Until about a years+ ago, if you were rebooting Firewalla, traffic came back very quickly, but for a few minutes, rules and VPN routes weren’t applied at all, and traffic could flow freely between subnets, and to your ISP Gateway, until they system fully “recovered”, and the last thing to come back were the VPN routes. I had a couple of smart devices that required VPN for geo routing that were totally blocked due to this. It took me a long time to get Firewalla to fix this, and now you’ll notice, that it takes a while for traffic (especially VPN) to come back after reboot (e,.g,. you can get a local IP, but the VPN gateways will show “error” for several minutes, and traffic would be blocked until everything is restored and then some, but this is a good thing. 2. During that endeavor, I discovered that the kill switch was not real, i.e. all traffic routed through the VPN tunnel stops if the vpn connection fails, its only the case if you force your DNS through the VPN (likely something you do, I won’t go into when you may decide otherwise). Anyway, the reason the traffic stops, is only because firewalla is unable to resolve DNS through the VPN tunnel (if this happens, you will see endless DNS requests not going through, based on your rules and checking 'resolve DNS through VPN). If DNS traffic is allowed via other DNS servers, traffic to the resolved destination will continue to flow not temporarily but permenantly. Unless something has recently changed, kill switch doesn’t do very much, it is the force DNS through VPN that makes DNS resolutions impossible, and therefore any domain that needs resolution, “doesn’t know where to go” (Firewalla Cache does not apply to VPN traffic, if you’re asking what about that). If there was a true kill switch, it would stop any traffic and you wouldn’t see endless unccsseful attmepts to resolve DNS. This is very hard to replicate after the reboot has been fixed, since VPN disconnects from provider side are rare, but it’s good to know it is the “force DNS through vpn”, not the switch that kills the traffic.
You are best sending this question to support. I do know the team spend a lot of time to make kill switch kill. Support should be able to look at logs and help you understand the if there is a leak or not. You should also show your configuration on the linux side as well, in case it route traffic to other places
Thats’s good to know, thanks!
That sounds like a good idea! Thanks, I’ll try that 
Please let us know what they say.
