Block non VPN traffic - Issues


Last day my AX1800 got updated to 4.x version of firmware.
Instead of internet kill switch I have been recommended to use “Block non VPN traffic”

In my network run on AX1800

  1. I have a bunch of clients run on VPN (policy based routing using client Mac address)
  2. Remaining clients connected directly (non-vpn)
  3. The VPN clients access internet through VPN tunnel
  4. Non VPN clients access internet directly from isp modem
  5. Internet kill switch to be applicable only for VPN clients to block internet if VPN connectivity fails

Everything works well on 3.x firmware

After upgrading to 4.x firmware
The following issues are faced

  1. When “Block Non VPN traffic is enabled” the NON VPN devices on my network (policy based routing)
  2. If “Block non VPN” traffic is disabled then the VPN clients get exposed outside in case if VPN fails.

Hence I would say “Block non VPN traffic” is not an alternative to kill switch and the previous firmware is far better.

Do any one know how to fix my requirements.

I tried downgrading over web user interface, but 3.x firmware package verification fails.

I am totally disappointed with this crap firmware update.

BLOCK non VPN traffic should be only applicable to devices on VPN or VLAN on policy based VPN configuration

Thanks & Regards,

1 Like

Possibly related:

1 Like

I am having a similar issue if I was to leave the house and come back with this supposed to be kill switch it does not reconnect I connect to the wifi but the router won’t give me a connection.

I then have to undo it then re enable the kill switch …

The kill switch should not block connections that have credentials to access the router …

This should not be the case otherwise it is leak.

You don’t need to block non vpn traffic. The vpn clients should. It be exposed outside in case vpn fails. But vpn is disabled all clients will be exposed to normal internet which is normal.

Hi Alzhao,

As you explained, I was believing as you mentioned, when VPN fails the VPN clients traffic with be blocked from internet.

But that seems not the case, today after several months when the VPN server connectivity was lost. AX1800 router exposed the VPN clients directly to internet rather than blocking the traffic.

The VPN connection was through witeguard, AX1800 firmware version - 4.4.60, MAC Policy based VPN

Hence I would say the functionality of blocking internet to VPN clients when VPN connectivity is lost feature is not working.

I know 4.5 version of firmware is available, but didn’t see a fix for this issue in release notes hence I didn’t update it yet.

This is a bug. Can you try newer version?

Thank you for the reply. I don’t see any fixes to VPN in release notes of new firmware. Can you let me know which fix ? mentioned in release notes cover this issue.

More over I tunnel a SIP telephony and would like to ensure service is not affected by introduction of ALG gateway.

How did you confirm VPN clients were exposed?
Can you upgrade to firmware 4.5?

I use VPN to watch regional content from my home country when I am away. The streaming platform reported that I am outside the country and hence few contents may not be available in the region.

This means the Vpn leaves and connected to the country that I travelled to.

When the VPN server reconnected everything was back, which confirms that the issue was a VPN leakage.

I am okay to upgrade to 4.5, but the release notes do not have any mention about this issue or fix, or even anything related to VPN.

The only reason I didn’t upgrade is that 1) need to get a confirmation that the issue is fixed on 4.5 2) need a confirmation that it won’t break my sip due to the introduction of ALG 3) also I would like to understand how I could revert back the 4.4 if 4.5 causes more issues

Thanks & Regards,

1 Like
  1. You must be using “Auto detect” mode, which allows Lan-wan forward.
    “global proxy” mode is more strict and you may switch to that.

  2. 4.5 firmware ALG can be turned off if it causes any issue with your setting.
    On admin panel: Network - NAT Settings - Enable SIP ALG

  3. Back up configs before upgrading to version 4.5, in case you need to revert.

Thank you for the reply. I will can update the firmware on the weekend.

Still you didn’t answer me related to the fix & release notes. There is no mention in the release notes. Since there is no mention of VPN fix in the release notes, I am wondering how the 4.5 upgrade can resolve the VPN issue.

Does it mean that there are issues fixed on 4.5 firmware which is not captured in the release notes?

I am waiting for a response to the query. Kindly reply on the query related to the release notes

Here is the expected configuration

  1. Few devices (selected by Mac address) should be routed through VPN only (split routing)
  2. Other devices should be directly connected to internet (not through VPN)
  3. When VPN connection drops (server disconnected), the VPN only devices should be blocked internet access (should not leak). At the same time the non-vpn devices should remain unaffected.

The above requirements was working well for more than an year without any issues until I upgraded to 4.x version of firmware.

Last day I had the VPN leaked again, if you need any specific information I could capture when it happens again.

The recommendation was to upgrade to 4.5 version, but the release notes do not mention anything about this fix, hence I am not sure how the upgrade could fix the issue

Does it mean that there are fixes that are not captured in release notes?

Sorry for missing the issue. Can you show me this command output when the issue happens?


Sure… Next time when it is down will get you the IP table information.
I may mask off few IPs before I share

mean while could you answer to my query whether all the fixes are captured in release notes?

This is the behavior even if you’re using version 4.4.6, with “Block Non-VPN Traffic” global option off.
So I want to know what’s going on.

And, when “Block Non-VPN Traffic” is on, the device not using VPN will be blocked.
We didn’t change that for the 4.5 version.