Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN Client working, but other ports & VLANs now offline

    Scheduled Pinned Locked Moved OpenVPN
    13 Posts 4 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pourts
      last edited by

      one more screenshot I forgot to add. 3c3d3bf1-b7fb-46be-ab42-be1ed7ad4b47-image.png

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @pourts
        last edited by

        @pourts
        What's your intention regarding the VPN client?
        Routing all upstream traffic over the VPN or only specific sources?

        P 1 Reply Last reply Reply Quote 0
        • P
          pourts @viragomann
          last edited by

          @viragomann
          Only route the traffic plugged into physical LAN port #1 (which is also VLAN 4081, because the netgate 2100 is weird and the ports don't really exist unless they are VLANs).

          Things plugged into LAN 2 thru 4 (which are VLAN 4082-4084) I want to be routed normally without the VPN client.

          V 1 Reply Last reply Reply Quote 0
          • V
            viragomann @pourts
            last edited by

            @pourts
            So you probably want to go with policy routing.

            And 192.168.50.0/24 is your LAN, I guess, since you have an outbound NAT rule for it on the VPN interface?
            With that you should at least have internet access from the LAN, don't you?

            To avoid to change the default route by OpenVPN, you have to check "Don't pull routes" in the client settings.

            P 1 Reply Last reply Reply Quote 0
            • P
              pourts @viragomann
              last edited by

              @viragomann thank you for the help so far.

              "Don't pull routes" was unselected. When I click that box, now everything outbound is dead. So, I think something is wrong with how my VPN client is setup

              My understanding is the following:
              192.168.49.1 is the firewall hardware itself
              192.168.50.XXX is for anything in VLAN 4081, which is physical port 1.
              192.168.100.XXX is for anything in VLAN 4082, which is physical port 2.
              192.168.150.XXX is for anything in VLAN 4083, which is physical port 3.
              192.168.200.XXX is for anything in VLAN 4084, which is physical port 4.

              Honestly I don't know the difference between LAN and my 4 VLANs. Do the 4 VLANs all combine into the LAN, then out to WAN?

              I'm not trying to do anything very custom or complicated, this is just what was shown in the Netgate 2100 documentation and various Lawrence Systems tutorials on YouTube. Thank you all for helping me learn.

              V 1 Reply Last reply Reply Quote 0
              • V
                viragomann @pourts
                last edited by

                @pourts
                "Don't pull routes" instructs pfSense to not add routes, when the OpenVPN client connects. So everything should behave as the client was disabled.

                I'm not familiar with the switch configuration of the Netgate 2100. If you have trouble with it and want to get help, you should open a separate thread.

                P 1 Reply Last reply Reply Quote 0
                • P
                  pourts @viragomann
                  last edited by

                  @viragomann
                  Perhaps I should restate the question:

                  I have a VLAN defined, but it cannot reach the internet. Any ideas what I have wrong? I followed the guide in the Netgate 2100 docs.

                  I have called it VLAN 4082 b1df5a4b-d886-4712-9958-ced052a9b4e1-image.png

                  Assigned that VLAN to physical port #2 4fc9f9b5-ab08-4a2a-8f2c-970c80dd24bc-image.png

                  Created the VLAN interface. I have a Netgate 2100, so the only actual switches are mvneta0 (for WAN) and mvneta1 (for everything else. 32e96186-eb2e-4c8e-be87-ce112c811f2b-image.png

                  VLAN interface assigned 5dd036ac-a0b4-4234-8d0e-fb6adf434592-image.png

                  VLAN interface details: 8e9b30ee-f1c4-4075-8509-a4eb978fc637-image.png

                  Firewall rules:
                  e7586640-c1fc-4ccb-bc05-7a18e427fe69-image.png

                  Outbound NAT for OPT2 (which is VLAN 4082, port #2) to WAN f14e8a54-d5f2-4318-8af4-a2f24114ee40-image.png

                  DHCP server looks good: 3a094946-b898-4c45-b422-5984c933061f-image.png

                  Thanks in advance!

                  Bob.DigB 1 Reply Last reply Reply Quote 0
                  • Bob.DigB
                    Bob.Dig LAYER 8 @pourts
                    last edited by Bob.Dig

                    @pourts Don't do manual outbound NAT, use hybrid instead. What is in floating rules?

                    P 1 Reply Last reply Reply Quote 0
                    • P
                      pourts @Bob.Dig
                      last edited by

                      @bob-dig
                      Apologies... I was having problems with the Akismet spam filter.

                      I changed to Hybrid NAT.
                      No floating rules at all. Zero. Should I have some?

                      johnpozJ 1 Reply Last reply Reply Quote 1
                      • P pourts referenced this topic on
                      • johnpozJ
                        johnpoz LAYER 8 Global Moderator @pourts
                        last edited by johnpoz

                        @pourts if your not going to pull routes from the vpn client.. Which to be honest is better way, since now you can policy route the specific clients or sure a whole vlan out the vpn.. While your non vpn clients would just use your normal isp connection.

                        https://docs.netgate.com/pfsense/en/latest/multiwan/policy-route.html

                        And yes the hybrid outbound nat is also a better option.. This way if you add new vlans, they will auto get added, etc. All you have to worry about is your hybrid nat for clients you want to send out the vpn via your policy route.

                        edit: here you go, see hybrid nat that includes all my local networks, since they are all 192.168 address. I can then policy route anything I want out the vpn

                        So see my normal IP, then I created a policy route for my .100 pc.. Then I when somewhere new so a new state was created an it was routed out my vpn connection

                        policyroute.jpg

                        Just going to a different site for my public IP was easier then killing my machines existing states..

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        P 1 Reply Last reply Reply Quote 1
                        • P
                          pourts @johnpoz
                          last edited by

                          @johnpoz Success! Thanks for the help. It took me a couple times to understand what was meant by policy routing, because "policy routing" isn't an option in any of the GUI menus.

                          Thanks for linking the chapter in the Docs about policy routing.

                          johnpozJ 1 Reply Last reply Reply Quote 0
                          • johnpozJ
                            johnpoz LAYER 8 Global Moderator @pourts
                            last edited by johnpoz

                            @pourts said in OpenVPN Client working, but other ports & VLANs now offline:

                            because "policy routing" isn't an option in any of the GUI menus.

                            Sure it is ;) The gateway you want to send the traffic out of is policy routing ;)

                            Glad you got it sorted.

                            Hope you paid attention to the bypassing policy routing in that section, users always seem to fail to understand if you force traffic out say a vpn gateway, that it won't be able to get to your other vlans/networks that are local. So you have to have a rule above your policy route rule that allows for access you want locally.

                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            SG-4860 24.11 | Lab VMs 2.8, 24.11

                            1 Reply Last reply Reply Quote 1
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.