For comparison sake i setup wireguard between the two networks. Wireguard starts with an MTU of 1420, and it reaches almost the line-speed in both forward and reverse directions.

# wg-quick up wg0 [#] ip link add wg0 type wireguard [#] wg setconf wg0 /dev/fd/63 [#] ip -4 address add 10.0.0.2/32 dev wg0 [#] ip link set mtu 1420 up dev wg0 [#] ip -4 route add 10.0.0.0/24 dev wg0 root@wireguard:/etc/wireguard# iperf3 -c 10.0.0.1 Connecting to host 10.0.0.1, port 5201 [ 4] local 10.0.0.2 port 34842 connected to 10.0.0.1 port 5201 [ ID] Interval Transfer Bandwidth Retr Cwnd [ 4] 0.00-1.00 sec 14.8 MBytes 124 Mbits/sec 0 1.74 MBytes [ 4] 1.00-2.00 sec 16.8 MBytes 141 Mbits/sec 0 2.58 MBytes [ 4] 2.00-3.00 sec 17.0 MBytes 142 Mbits/sec 3 2.96 MBytes [ 4] 3.00-4.00 sec 16.0 MBytes 134 Mbits/sec 1 2.07 MBytes [ 4] 4.00-5.00 sec 16.7 MBytes 140 Mbits/sec 1 1.52 MBytes [ 4] 5.00-6.00 sec 17.0 MBytes 142 Mbits/sec 0 1.62 MBytes [ 4] 6.00-7.00 sec 16.9 MBytes 142 Mbits/sec 0 1.70 MBytes [ 4] 7.00-8.00 sec 16.8 MBytes 141 Mbits/sec 0 1.75 MBytes [ 4] 8.00-9.00 sec 16.9 MBytes 142 Mbits/sec 0 1.79 MBytes [ 4] 9.00-10.00 sec 17.0 MBytes 142 Mbits/sec 2 920 KBytes - - - - - - - - - - - - - - - - - - - - - - - - - [ ID] Interval Transfer Bandwidth Retr [ 4] 0.00-10.00 sec 166 MBytes 139 Mbits/sec 7 sender [ 4] 0.00-10.00 sec 163 MBytes 137 Mbits/sec receiver iperf Done. root@wireguard:/etc/wireguard# iperf3 -c 10.0.0.1 -R Connecting to host 10.0.0.1, port 5201 Reverse mode, remote host 10.0.0.1 is sending [ 4] local 10.0.0.2 port 35042 connected to 10.0.0.1 port 5201 [ ID] Interval Transfer Bandwidth [ 4] 0.00-1.00 sec 13.0 MBytes 109 Mbits/sec [ 4] 1.00-2.00 sec 16.9 MBytes 141 Mbits/sec [ 4] 2.00-3.00 sec 16.9 MBytes 142 Mbits/sec [ 4] 3.00-4.00 sec 16.9 MBytes 142 Mbits/sec [ 4] 4.00-5.00 sec 16.9 MBytes 142 Mbits/sec [ 4] 5.00-6.00 sec 16.9 MBytes 142 Mbits/sec [ 4] 6.00-7.00 sec 16.9 MBytes 142 Mbits/sec [ 4] 7.00-8.00 sec 16.9 MBytes 141 Mbits/sec [ 4] 8.00-9.00 sec 16.9 MBytes 142 Mbits/sec [ 4] 9.00-10.00 sec 16.9 MBytes 142 Mbits/sec - - - - - - - - - - - - - - - - - - - - - - - - - [ ID] Interval Transfer Bandwidth Retr [ 4] 0.00-10.00 sec 168 MBytes 141 Mbits/sec 3 sender [ 4] 0.00-10.00 sec 168 MBytes 141 Mbits/sec receiver

@stefan-lazarevic Ok, I have found out the solution.

I have opened settings here:
0fe38186-845f-4620-a3e2-fca06ef81f6f-image.png

Under tunnel settings, I have unchecked "Force all client-generated IPv4 traffic through the tunnel"
5a85c686-48f2-49b2-a1bf-f84a0785e122-image.png

But, I want force other users through the tunnel, so I went to OpenVPN settings, than client specific overrides, then clicked to edit user and checked the "Force all client generated traffic through the tunnel." under Tunnel options.

253eee7e-f040-43af-8038-b1786b92bce7-image.png

Now my server can connect to Internet directly and also to my LAN.

@viragomann Thanks for the help, making sure firewall rules also apply to 'Public' has resolved my issues.

Reuben

I know this is an old post, but I recently was having this same issue. After reading this, I changed my mask from /24 to /28 and all is well. Not sure if it is a bug or what, but that seemed to help me (since I am only allowing 10 concurrent connections). I am on Version 2.4.4-RELEASE-p3 (amd64), UDP on IPv4, Remote Access(SSL/TLS), port 1194, built via wizard. Thanks.

@Bob-Dig
thanks for the interesting hint, tagging looks like a great feature!
So basically I am tagging all (!) my current rules in the LAN section where I define which traffic is allowed and that it goes through the OpenVPN gateway.
And the I setup a rule which rejects all traffic which is tagged and goes to WAN, correct?

How do I make sure that the only connection the pfsense can do itself will be to VPN Providers DNS and OpenVPN Servers?

As far as I understand this can also be done via "floating rules":

Floating Rules can:
Filter traffic from the firewall itself
Filter traffic in the outbound direction (all other tabs are Inbound processing only)
https://docs.netgate.com/pfsense/en/latest/firewall/floating-rules.html
[...]

-Tom

Finally figured it out. It put the any/any autocreated rule in the OpenVPN category under firewall rules. I had to add a new interface assignment for the OpenVPN server and move the rule to be bound to that interface specifically in order for policy based routing to work correctly.

@Rico thanks its working now

Found the issue - my own stupidity.

At some point in the past, I had put my ip in as a host override in the dns server settings.

Doh!

What's the question?

I assume you can connect to the OpenVPN-Server fine but you cannot connect to things on LAN right?

If that's the case, turn the OpenVPN-Interface into a TAP interface (L2), then turn LAN into a bridge, adding the OpenVPN-TAP-Interface and the LAN-NIC to the bridge.

Restart the OpenVPN-Server, export the OpenVPN-config to the phone again, refresh and reconnect.

Now the phone should get an ip-address and be bridged into the LAN, problem solved. (This can take a few seconds if STP is enabled on the bridge).

The other option is to use a TUN interface. The downside here is that stuff like broadcasting is not working. Nevertheless you can go down two routes:

Easy route:

Give the VPN-Clients a different subnet, e.g. 10.1.1.0/24 and route them to the LAN-subnet. As the LAN uses pfSense as default gateway, LAN is able to find the way back.

Hard route:

You use brouting to make this happen. You have to understand that routing and subnetting are NOT the same.

So on the LAN-Interface you have 192.168.0.0/24 as subnet and 192.168.0.1/24 as ip-address. On OpenVPN's TUN interface you have 192.168.0.241/24 (YES, 24) as IP-address. Also you hand out IP-addresses in the range of 192.168.0.240/28 to the clients. You add a static route of 192.168.0.240/28 to the tun interface (YES, THE INTERFACE) and enable proxy ARP for the interface.

Now a client dials in via tun interface, gets an IP-address in the range of 192.168.0.240/28 and the firewall proxies the arp requests from one site to the other. As it knows what's going on, it magically copies the packets back and forth and you're a happy camper.

You need to understand what this does, how proxy arp works and that you can get yourself into a lot of trouble if other networks exist and you haven't configured this correctly.

KR,

G.

Hello The first routing that you posted, which pfSense is that? A? B? maybe C? The first routing I posted got in the Pfsense Web interface "PfSense->Web-Interfaces->Diagnostics->Routes"

Yeah.

Nevermind.

I give up.

I asked you on which machine you got this routing table and still you are not able to provide that information.

Have fun figuring this out, but I'm not gonna waste my time here. Maybe paid support will get you anywhere. They can help you here:

https://www.netgate.com/support/

Nice talking to you!

Have a nice day!

KR,

G.