I am fighting this same issue in Pfsense 2.6.0 and losing the battle. Help?

stephenw10

If you followed a config guide for the VPN they might have had you remove the outbound NAT rule from the WAN to prevent traffic "leaking" that way. That would stop you bypassing the tunnel.

How are your interfaces configured?

Steve

Kilted1

@akuma1x
Well, not so much.
I want everything BUT certain sites to go out through the VPN.
I already (as stated above) set up an alias for the sites I want to have bypass the VPN.
I currently ONLY have my computer behind the pfsense until I can figure out how to make this work. That way when I find other things not working I can fix them as well without as much loss.

As for a "simple network setup," with the way the VPN setup went, I now have "WAN_DHCP" and SRUFSHARKVPN_VPNV4" for "Gateways" in the routing.

In the future (once I get this in place as my PRIMARY router) I think I will want to have a couple playstations bypass the VPN as well but, I need to know I can make that work before putting this in place.

As for current "LAN" rules, I have the default "anti-lockout" (so I don't block myself out of being able to log into my pfsense) / MY VPN bypass attempt rule / and the LAN net to VPN outbound rule.

And even rebooting the pfsense box didn't get it working either.
I have been (once the rule is saved and activated) restarting the openVPN client in the hopes that it would help it work.

Thank you for the response though!

Kilted1

@stephenw10
Thank YOU for responding as well!!!!

This link is the instructions I followed to set up my VPN connection.

Yes I DO know that it is for pfsense 2.4.4 and I am running 2.6.0 and there are differences (hence my comment about it being another battle that I did win) but, this is all the instructions that they had.

https://support.surfshark.com/hc/en-us/articles/360010789259-How-to-set-up-pfSense-2-4-4-with-Surfshark

FYI, the ONLY rule under the "WAN" tab is the default "Block bogon networks" rule. I unchecked the "Block private networks" because it is currently behind my in place router to the internet. This way I still have access to my other stuff out passed pfsense (for now)>

akuma1x

@kilted1 The way you want your LAN rules is as follows:

1. anti-lockout rule (leave this one alone)
2. VPN specific rule (by source and/or destination)
3. Default LAN net to any rule

That's it, you only need 3 rules to accomplish this.

In the VPN specific rule, you can either set it up by source machines, like I said above, or you can set it up by destination hosts. Both of these methods can be by alias lists. In the future, you mention playstations, this would be a list of internal LAN IP aliases in the source field. To policy route for specific website hosts, you simply create an alias, pick the "host(s)" option, and list out the IP addresses or the FQDNs of the sites. Then, to finish this rule, you select your VPN service as the gateway and you're done. Keep in mind, lots of streaming sites work behind the scenes as a CDN, and are therefore hard to use in lists like this, since they have many internet addresses and/or website names.

So, as an example, in my pfsense, I have a list of computer aliases that I want to use a specific gateway (second WAN connection from Comcast) to access a list (alias) of websites thru that internet connection. I have a single LAN firewall rule with the source as an alias, and the destination also as an alias, and the gateway set to use my Comcast connection. Works perfect. You can swap gateways in my example with your virtual VPN gateway, or another real gateway, like a primary or secondary WAN connection. The traffic that is filtered by that firewall rule will then follow that path out the appropriate gateway.

Kilted1

@akuma1x
My current rules (under LAN tab) are:

1. anti-lockout
2. my VPN bypass attempt
3. Default allow LAN to any rule (routing everything out through the VPN).

I have my bypass attempt set up as:
Action = Pass
Interface = LAN
Address family = IPv4 (not currently using IPv6 at all)
Protocol = Any
Source = LAN net
Destination = "Single host or alias" using the alias I set up.
And "Gateway" = WAN_DHCP" ( I did try default as this gateway is listed as the default but, that didn't work either)

How should they be modified to work like the way that you listed?

I DO want ALL traffic except certain cites to go out through the VPN.

Sorry! I am still very new to this setup but trying to learn as fast as I can!

Not sure if it helps or not but, I set up the "alias" for "URLs" as the sites have multiple ip adresses and was hoping for the easiest fix to make this work.
Currently I only have two web sites in the alias as it wouldn't resolve the others I tried to add but, I'll fight with that more later once I can figure out how to make this work with the two I have. LOL

stephenw10

@kilted1 said in I am fighting this same issue in Pfsense 2.6.0 and losing the battle. Help?:

https://support.surfshark.com/hc/en-us/articles/360010789259-How-to-set-up-pfSense-2-4-4-with-Surfshark

That's not terrible. Some VPN providers instructions are... bad!
They don't have you remove outbound NAT to the WAN so it will still work.

They do have you leave 'don't pull routes' unchecked so they are probably passing you a new default route when you connect.

None of that should stop the bypass rule working. It probably isn't matching. What do you have in the alias? How are you testing?

Steve

Kilted1

@stephenw10
I posted how I set up the alias above but, the two sites I have in it are Amazon and Bridgecomsystems.com.
Strangely, I just tried Amazon and it worked.
Bridgecom's site "mostly" works but, they do giveaways and they use "Gleam" for them??? Gleam still see's my IP address as coming from the vpn site instead of my home IP address. And Gleam refuses to accept the data center IP address.
That seems to me the my traffic to those sites (or at least the one) isn't working.
Yeah, this is rather specific to me but I'm hoping there is a way around it. I tried to "disable" the VPN out rule and lost ALL internet access so, that won't work.
I know it's got to be something simple and stupid otherwise, I probably would have won the battle already! LOL

stephenw10

@kilted1 said in I am fighting this same issue in Pfsense 2.6.0 and losing the battle. Help?:

I set up the "alias" for "URLs" as the sites have multiple ip adresses and was hoping for the easiest fix to make this work.

You used URL aliases or you just entered URLs in the alias?

Just entering URLs can only work for small sites with fixed IPs. It cannot work for anything using a CDN like, for example, facebook, netflix, amazon, google etc.
To do that in any useful way you need to use IP lists or AS numbers directly. pfBlocker can do that and keep them updated. It's never 100% though.

Steve

Kilted1

@stephenw10
IF I read the Netgate Docs correctly, would a "URL Table" work?
From what I understand (from what I read about them), I would have to make a URL Table for each site (ie... Amazon or Bridgecom) and then a rule for each table. Is that correct?

Or would "pfblocker" be a better option?

Gertjan

@kilted1 said in I am fighting this same issue in Pfsense 2.6.0 and losing the battle. Help?:

I would have to make a URL Table for each site (ie... Amazon or Bridgecom)

Now read again :

@stephenw10 said in I am fighting this same issue in Pfsense 2.6.0 and losing the battle. Help?:

Just entering URLs can only work for small sites with fixed IPs. It cannot work for anything using a CDN like, for example, facebook, netflix, amazon, google etc.

Also read the pfSense documentation Aliases - see the very first Note.

Example : resolve amazon.com
You get a list with IPs :
*amazon.com has address 54.239.28.85
amazon.com has address 205.251.242.103
amazon.com has address 52.94.236.248

A couple of moment later, this list will change, as amzon uses a lot of IPs. They are swapping their servers in and out al the time (upgrading, load balancing etc).
So, no, you can't capture the big players with an URL or a list of IPs.
And for very understandable security and commercial reasons, amazon will not (like never) publish the entire list of IPs they can use.

stephenw10

Yes, you need to use an IP list or ASnumber. You can create those manually:
https://docs.netgate.com/pfsense/en/latest/recipes/block-websites.html#using-firewall-rules

But I would recommend using pfBlocker because it will create them automatically and keep them updated.

Steve

Kilted1

@stephenw10
I did download pfBlocker.
Looking in the available documentation it "says" that there is a way to "allow" traffic to a site but, in the settings I'm ONLY finding "block or reject" for options.

I'm trying to "allow" traffic to bypass my VPN, not "block" traffic to certain sites. Will this still work?
This is way more technical than I had hoped.
And reading through the material on it, has confused me more than I already was.

stephenw10

Set your list action as 'alias native' rather than block or reject. Then use that alias in your VPN bypass rule.

You probably want to use ASNumbers. You might need several dependiong on what you;re passing:

Steve

Kilted1

@stephenw10
Thank you for that and ALL of your help!

I was poking round though and came up with another question.
I remembered (I was reading in the book about the rules) about the vpn having me go into the NAT and selecting "Manual Outbound NAT rule generation.
(AON - Advanced Outbound NAT)"

Should I change that to the "Hybrid"?
With what I read, the manual setting completely ignores all of the auto generated rules and ONLY follows the manual one.
So to me that means, it's blocking every other access to the WAN that doesn't go through the VPN.

Am I correct or just confused? LOL

I do realize that I will probably end up learning and using the pfBlocker for the alias's but, I'm wondering if this one setting is the Bigger brick wall (LOL)?

stephenw10

When you switch Outbound NAT to manual mode the auto rules are converted to manual rules at that point. From there if you added a new internal subnet no new rules would be created, as they are in auto mode, you would have to add them yourself.
In the instructions you linked it does not have you remove the rules after changing the mode (unlike many other VPN providers) so the rules to allow traffic to be translated on the WAN directly should still be present.

Steve

Kilted1

@stephenw10
Again I thank you Sir!
That makes more sense than what I was thinking. I actually had hoped that was the case but, I've learned the hard way to be more pessimistic. LOL

I will have to dig into the pfBlocker and do a lot more reading and might end up with more questions later.
I did figure out how to basically shut down the vpn to get to one of the sites that I wanted. I copied the VPN rule but aimed it toward the WAN (with this new rule under the VPN rule) so, when I want to go to the site that I haven't been able to up to now, I disable the vpn rule and turn it back on once I'm done with that site.
Absolutely not my preferred method but, it's working for now until I can work through a better fix.
Now at least, I don't have to worry about putting this into service. I'll just keep working on a better work around.
Thank you everyone for all of your help!
Talk about a steep learning curve. LOL

Kilted1

@stephenw10 said in I am fighting this same issue in Pfsense 2.6.0 and losing the battle. Help?:

Set your list action as 'alias native' rather than block or reject. Then use that alias in your VPN bypass rule.

You probably want to use ASNumbers. You might need several dependiong on what you;re passing:

Steve

Steve,
I know this is a dumb question because I feel stupid right now but, where do I find those "ASN numbers" for pfblocker to make that list?
Thank you Sir!
Dale

stephenw10

Hmm, I think I just googled it. Like: https://asnlookup.com/organization/facebook/