Outbound rule to route specific clients to specific destinations via openVPN

chrisi51

Hey there,

i got a openVPN tunnel which connects the pfsense with another network.
I used 2 aliases:

• allowed_hosts: holds all "allowed" clients, to use this tunnel
• tunnel_destinations: holds all destinations, which should be reachable through the tunnel

So i set an Outbound rule which looks like this:

• interface: the vpn interface
• source: network, alias allowed_hosts / 32
• destination: network, alias tunnel_destinations / 32
• translatation address: Interface Address

For those who are in the allowed_hosts alias, everything is working as expected.
For everyone else it seems like, they get just blocked instead of reaching the destination via the normal WAN route.

So the tunnel_destinations are reachable publicly in general but with the tunnel you can admister them and do some other special stuff, you cant do without the tunnel. So its important, that im able to reach the tunnel_destinations also without being in the allowed_hosts alias.

So i thought, that the outbound rule would only get in charge, if both "conditions" meet ... and if not, pfsense will route just as there wasn't that rule. In the opposite to that it seems like it only routes through tunnel if both conditions are met and if not it just don't routes the traffic in any way.

Am im doing any wrong or is it a limitation or something like?
thx in advance
Chris

Bob.Dig

@chrisi51 You probably have to use policy based routing.

chrisi51

@bob-dig so you mean, that instead of an outbound rule i set a normal firewall rule on my LAN device which holds the same conditions and sets the gateway then?

Bob.Dig

@chrisi51 Maybe you have to do both, depends on your network and settings.

viragomann

@chrisi51
The outbound NAT does what it's name implicates. It translates the network address on outgoing traffic.
But it's not meant for routing traffic.

So yes, policy routing is what you're looking for.

chrisi51

@bob-dig seems not to work ... deactivating outbound rule just prevents from connecting through the tunnel

and the firewall rule on LAN with source allowed_hosts and destination tunnel_destinations to use gateway of the vpn tunnel does not seem to work ... if i enable both its just like before so it seems like, this policy based rule don't have any effect :(

chrisi51

@viragomann oh this might mean, i need the outboundrule without source and destination settings and then the policy rule for the filters?

viragomann

@chrisi51
The outbound NAT can circumvent certain routing issues at its best. So probably your routing is not configured correctly.

Seems you have set the default route to the VPN gateway.
I guess, your side is the client and the server pushes the default route. If so you can check "Don't pull routes" to avoid that.

If you blow out upstream traffic on the OpenVPN gateway the outbound NAT is needed though. It should work with the stated aliases, but they wouldn't be necessary.

chrisi51

@viragomann aaaaaah ... that could be the prob ... sure there are routes pushed by the openVPN server and they are already listed in the routing table of our pfsense (pfsense indeed is the openVPN client in this cas) ... so i will click that "dont pull routes" than probably reconnect if its not done by its own ...

so now the tunnel_destinations dont appear in the routing table anymore and ALL clients will go via default WAN to those ips ...

then i've added a rule to LAN which again put in the 2 conditions allowed_hosts and tunnel_destinations using vpn interface

et voila ... seems to work =)

thanks @viragomann & @Bob-Dig