Firewall Rule Routing IP Through VPN
-
So i wasn't really sure what to look for to try find an answer to my problem so sorry if im duplicating an existing topic as im sure this has been answered before
just so your aware of my setup,
I Have my Router From my ISP in Modem Mode, this is then wired into my PFsense Servers WAN Port then i have the LAN Port Going to a switch, the coming off my switch i have my main desktop and them a TP-Link WIFI Router
PFsense is on the Default IP of 192.168.1.1 and the WIFI Router i have setup on 192.168.40.1
I Have my PFsense Server setup on OpenVPN with Nord VPN and im setting up Firewall Rules that i can Disable/Enable so that i can essentially turn the VPN on or off for these specific devices when i like now i have my main Desktop's Rule working fine but this is essentially connected stight to the PF Server Via Switch the issue is when im trying to do this for devices connected to the WIFI router
i have a firestick on IP 192.168.40.100 but when i setup a rule for this it dosent work, pf is still making it go throuh the firewall, im not sure what im doing wrong could just be something simple ill, screenshot of the rules below
-
@captain-chunck said in Firewall Rule Routing IP Through VPN:
i have a firestick on IP 192.168.40.100 but when i setup a rule for this it dosent work, pf is still making it go throuh the firewall
Through the firewall?
Do you see 192.168.40.100 in the ARP table on pfSense?
-
@viragomann I meant through the VPN and how do I find this table I'm still relatively new to Pfsence
-
@viragomann ah found it no the firestick isn't on the ARP table but neither is my desktop
-
@captain-chunck
Each IP pfSense actually communicates with must be found in the ARP table. Otherwise there is no communication possible. The default timeout for ARP entries is 20 minutes.
So after initiating a connection to the internet on your desktop, you should find your IP there.
The same is true for all other devices.However, I suspect that your Wifi router does masquerading, so that pfSense can only see its LAN IP, but not the origin device IP.
You properly can switch off this function, but then you have to add a static route to pfSense for the wifi subnet pointing to the router. -
@viragomann right I see might be better of for simplicity just adding the whole WiFi network as a rule for now
-
@captain-chunck
Yeah, if its reasonable for you that you cannot distinguish the wifi devices on pfSense, that's an option, of course. -
@viragomann I just wanted to be able to switch on and off the VPN so I could essentially switch between American netflix and UK netflix, but looks like the WiFi router is only showing its own IP to pfsense and not what's connected to it
-
@captain-chunck
If think you should be able to set the router into AP mode. So all devices get IPs in LAN subnet.
Is it VLan capable? That would also be an option to separate the wifi devices, even when the router is connected to an L2 LAN switch. -
@viragomann I'm using a TP-Link VR400 as an AP it's in Wireless router mode, but the router is cable of being a modem too so it has it own firewall and DHCP, I have the option to turn off the firewall and put it in DHCP relay mode, would this be something I'd need to do
-
@captain-chunck
The firewall can be turned off, but DHCP relay only makes sense if you want to use the DHCP on pfSense to register device names in DNS.
As long as it's in NAT router mode, you want see the devices behind. -
@viragomann I had the option to turn of DHCP on the WiFi router so I did that and I turned the firewall off too