@II_Echelon_II: What routing settings would i have to use to get an IP from my home network instead of that of the VPN's virtual network? Or should i just redirect all traffic with the the destination of my home network? As said obove, I recommend to use a special tunnel network and a tun device. So the VPN client gets an IP from this tunnel network and pfSense does the routing. For this just enter 192.168.1.0/24 in "Locale Network(s)" field of VPN server config and traffic from client to this subnet will be routed over VPN connection. As mentioned above, you need a rule at pfSense in addition at VPN interface to permit traffic to 192.168.1.0/24. That's all.

Use IP addresses instead of hostnames in drive mappings.

Part two: Configure netfl!x/spot!fy/whatever via VPN (when traveling abroad) 1. Install & Configure pfBlockerNG pkg Install pfBlockerNG Firewall: pfBlockerNG: General Settings Enable pfBlockerNG [Check] Keep Settings [Check] Enable De-Duplication [Check] Enable Suppression [Check] Disable MaxMind Country Database CRON Updates [Check] Inbound Firewall Rules - Interface: "WAN", "VPN1" Outbound Firewall Rules - Interface: "LAN" Floating Rules [Check] [[color=limegreen]Save] Firewall: pfBlockerNG: IPv4 [+ [color=blue]New] Alias Name: "sites_via_vpn" IPv4 Lists: Format "html", State "ON", URL "http://bgp.he.net/search?search[search]=netfl!x&commit=Search", Header "Netfl!x" +Add another list for spot!fy List Action: "Alias native" Update Frequency: "Weekly" (Please don't select Every hour) [[color=limegreen]Save] Firewall: pfBlockerNG: Update Click "Force reload" 2. Create custom FW rule w/ pfBlockerNG Firewall: Rules: LAN [+ [color=blue]New] TCP/IP Version: "IPV4" Protocol: "Any" Destination Type: Single host or alias Destination Address: "pfB_sites_via_vpn" (pfBNG creates alias name with pfB_ prefix and the alias name in Step 1) Description: "pfb_sites_via_vpn" (Must be exactly same as Destination Address, except change capital B to small) Gateway: "VPN1 - 10.8.0.5" [[color=limegreen]Save] PS: In Step 1, replace exclamation marks with "i". Don't put whitespace or weird symbols in pfBNG's alias name or header.

just recognized what my problem was: I opened the thread when I experienced the same like the guy here: http://askubuntu.com/questions/254031/change-openvpn-clients-default-route Ubuntu adds a default-route by itself if you don't check the "use this connection only for resources on this network" When I tried to compile the mail with all configs and details I used the commandline client. thats why it worked like expected. just for the records.

Fixed. It appears I've figured out what was causing this, but not exactly why it was causing it. The two locations having this problem each use their own 4G router as a backup WAN (set as tier 2 in a failover group that the LAN points to), and the router is set to automatically reboot every Sunday morning. When I tested by initiating a reboot of the 4G router with a running ping to the remote LAN network, sure enough the tunnel stopped passing traffic about 30 seconds after beginning the reboot. This happened reliably when trying it for both locations. Once again, going into the remote firewall and restarting the OpenVPN client connection brought it back. So now it's a curiousity why bouncing a tier 2 and not-currently-active WAN connection would break an OpenVPN tunnel.

No, that's not already done. You are setting up the port-forward on LAN, according to the screenshot. It won't do anything useful there. Also, if you have any rules on OpenVPN tab, remove them.

Your site-to-site and remote access OpenVPN instances are both on 1195 on site 1?

Thanks Jim.  I've seen many a bandwidth provider (Comcast primarily) actually strip tagging once the packet reaches their network, so this would simply accomplish ensuring that the PFSense is forwarding VOIP packets before others, whether inside a tunnel or not.  Actually, this is good news for VPN tunnel QOS, as I've seen several postings on here arguing that QOS within a tunnel doesn't work.  While that is technically correct, this feature at least allows for QOS on specific traffic, whether its inside a tunnel or not.

You didn't mention which pfSense version you're using in all this? If this is the same configuration as your previous thread (https://forum.pfsense.org/index.php?topic=93729.msg520236#msg520236, then the simplest solution IMHO is to change your setup slightly so that the HO has only 1 OpenVPN server that handles both BrO1 and BrO2. You tell the OpenVPN server about all the remote networks in a comma separated list entered in "IPv4 Local Network/s" (192.168.1.0/24, 192.168.0.0/24 in your case). You use the Client Specific Configurations on the server to specify which remote network gets routed to which client (this has to be currently working or your dual server setup wouldn't be working now) The BrO1 and BrO2 clients both connect to the same HO OpenVPN server and the CSC settings make sure things are routed where they need to go.  The server hands out all external routes to both clients so they understand how to get to each other's networks (through the server). The only other way is to setup say, BrO1 as it's own additional OpenVPN server and add a client from Br02 to Br01.

I'm not sure where I'm supposed to look for my ip route. However, it's finally working! I reset all "Firewall: NAT: Outbound" rules then copied two from the WAN rules creating them for VPN. That solved it! Thanks for the help!

Continuing my monologue… A bit more of experiment reveals that if DHCP relay is enabled then OS X DHCP client works with internal DHCP server, too. But I have a DHCP server running on DMZ interface and I cannot run DHCP relay. I will continue this topic in DHCP/DNS forum as it seems more appropriate.

You may also want to note that HMA doesn't really HYourA.  ;) https://www.reddit.com/r/torrents/comments/1lpey9/just_learned_why_hide_my_ass_is_such_an_awful/ Try these guys https://cryptostorm.is/ Free connections limited to 1Mb/s down and 500kb/s up.

After performing a series of packet captures and CLI debugs, it turns out the phone system is actually sending the RTP traffic to the local IP instead of the VPN allocated IP - no problem with pfsense at all. Thanks again for your help, at least I know my setup is working fine.

The outbound rules should be working ;) I checked the automatic rules aswell. [image: Selection_070.png] [image: Selection_070.png_thumb]

wow, thats exactly what I was looking for! thank you a lot!! :-) :-)

I like this method: https://forum.pfsense.org/index.php?topic=84463.msg463226#msg463226