@thenmanbr said in pfsense bypasses firewall rule: @chpalmer however, in the event of a reboot, do you know how would i prevent this issue from happening? (i'm assuming it's the order things are loaded, first vpn then filters... if that even makes sense) I do not.. I comes as a little bit of a surprise to me as well. I use separate VPN servers for each of my tunnels and Im the only road warrior connection here. If I was to stop a connection to a site I would first go to that site and delete the client. Can you try a "reject rule" and see if that does it?..

So troubleshoot resolving names from one of the connected clients and see where the process is breaking down. Do you know how to troubleshoot DNS issues using tools like dig and drill? Yeah. we know you have had nothing but problems with pfSense insert feature here lately. So troubleshoot it.

Even in the logs, I can see that the server is pushing its own address as the gateway, yet pfSense does not use it as the gateway IP: Dec 21 02:45:36 openvpn 67745 PUSH: Received control message: 'PUSH_REPLY,route-gateway 172.27.120.1,topology subnet,ping 10,ping-restart 120,ifconfig 172.27.120.2 255.255.255.0,peer-id 0,cipher AES-256-GCM'

No. I used some tutorial of PIA open vpn client.

@viragomann said in Bypass VPN for specific www site: If I access www.alliantcreditunion.com I get redirected to www.alliantcreditunion.org, which is another IP. So you will have to add this FQDN to your alias as well. Also the site may contain further parts which come from other sources and also need to be directed over the WAN GW. You can use browser tools to investigate. Interestingly enough is I am able to access www.alliantcreditunion.org just fine. Something will not allow me to access the login page

pfSense does not impose any requirements on passwords at the moment. You will get a warning if the password is left as pfsense but that's it.

The first thing I would do is update to 2.4.4-p1

no i have a static ip so i am not using aliases. i just think i am doing it wrong. no one confirms if i am doing it right or wrong. can someone help. here is my exact setup and what i am doing openvpn server 192.168.1.0/24 openvpn client 1 192.168.2.0/24 (tunnel 10.0.1.0/30) openvpn client 2 192.168.3.0/24 (tunnel 10.0.3.0/30) client 1 and 2 reach the server with NO issues but client 1 talking to 2 or 2 talking to 1, does NOT work. i can only reach from 1 or 2 to the main openvpn server so i was told to assign the 2 openvpn on the main server to an interface. then i enabled those 2 interfaces as soon as i do this. client 1 and client 2 lost their connection to the server then i was told to go to firewall rules, openvpn tab, create a new rule as follows: action: pass interface: openvpn address: ipv4 protocol: any source: the assigned interface from client 1 openvpn destination: the assigned interface from client 2 openvpn i wrote a description and saved. but this does NOT do anything. i am still without connection to the main server openvpn from both clients. not sure what i am doing wrong! please advise

@chpalmer The machines in question are a linux box (firewall off) and grandstream phones. (cant connect to the phones web interface and the phones can't register to the pbx server (the linux box). Oh plus there is a synology NAS that can't be reached either. So no, no windows firewall or any other firewall.

All, many thanks for the help and the insight. This honestly wasn't supposed to be difficult. I've decided to get rid of pfSense altogether and use the facilities my commercial host has. It's not ideal, but it does work. All I was trying to do was access my private network remotely as I've done numerous times before with a variety of products. This has just cost me too much time as it is. Thanks again

I have solve the problem thanks to this post: https://forum.netgate.com/topic/101293/route-all-traffic-thru-vpn-except-for-modem-gui-access/2 but i have a new question, is there a way to open a port and access webgui modem from vpn public ip? Stefano

For posterity... I decided to set up a separate OpenVPN server for each group of users. In the end it was the cleanest way to differentiate between the groups by assigning a unique subnet to each instance of OpenVPN. Client Specific Overrides is an interesting feature and might have allowed a portion of what I was looking for, but did not offer a complete solution. Thank you, cdunbar

Jimp. I already solved it, what happens is that they have to wait about 3 minutes for the openvpn to discard the connection through the wan that is below. Thank you

@pippin thanks for the advise. I haven't set up this particular pfsense myself. I needed to stabilise the VPN and I will build a clean one with the first chance. There are too many crap stuff in there too many changes have been made inside there from people who didn't actually know how to configure it properly. Will do my study before I make a clean one.

I got a Rule that sorts out traffic trying to connect to my LAN from the radio network. For the rest its fine since i run the other network anyway

@rico Thanks for sharing

What would fail with bogon still blocked is bogon's - but pretty sure pfsense pulls the rfc1918 space that is normally in bogon out... And lists in the different rfc1918 listing. rfc1918 is a bogon ;) Well if you want to get technical about its - better term is prob martian...

I watched this Youtube video from Lawrence Systems: https://www.youtube.com/watch?v=7rQ-Tgt3L18 At the 13 minute mark, he points out that one needs to add a line to the end of the config file created by VPN on the local computer being used to access the remote computer: redirect-gateway def1 On another website it was suggested that I might need to add a line in the pfSense firewall to the file found under VPN/OpenVPN/Server. I edited the file and under Custom Options added: push "route 192.168.xxx.0 255.255.255.0" I'm not sure which of these two additions did the trick, but the net result is that now I can connect from a remote location both to the pfSense GUI and to my desktop computer. So ... problem solved!!