VPN Policy Routing

mgbolts

Hi,

I am trying to implement policy routing for an ExpressVPN tunnel. It appears that many parts of my config are working except for the last part, the policy routing for a VLAN.

The setup is summarised as follows:

OpenVPN tunnel to ExpressVPN
Interface for expressVPN (Openvpn)
gateway for ExpressVPN
Interface for VLAN (125)
policy routing with FW rule pushing data through expressVPN gateway

What appears to be working:

OpenVPN tunnel to Express VPN is up
I can traceroute from Openvpn tunnel to 1.1.1.1 (the expressVPN servers are visible)
I can traceroute from ExpressVPN interface to 1.1.1.1 (the expressVPN servers are visible)
I can ping other parts of my local network from the VPN(125) network
I can ping the openVPN IP given by expressVPN from my VPN (125) network

In summary, everything appears to be working except, I cant ping the internet from my VPN(125) network. Any suggestions would be appreciated.
Thanks

Screenshot 2022-12-19 143954.png
Screenshot 2022-12-19 144339.png Screenshot 2022-12-19 144446.png
Screenshot 2022-12-19 144753.png
Screenshot 2022-12-19 145526.png
Screenshot 2022-12-19 145959.png
Screenshot 2022-12-19 150052.png
Screenshot 2022-12-19 150217.png Screenshot 2022-12-19 145357.png

Gertjan

@mgbolts

This looks fine :

Traffic is routed over to ExpressVPN interface.
"VPN" is your VLAN 125 interface, right ?

This :

is not a good idea.
VPNEXPESSINTERFACE is like a WAN interface : there should be no rules on a WAN interface.

You didn't show you Firewall > NAT > Outbound settings :

where you have selected "Hybrid Outbound NAT rule generation." and added your manual rule.

Bob.Dig

And don't use manual outbound NAT, use hybrid.

Gertjan

@bob-dig
Yeah, right.
As shown in my image, select Hybrid and hit Save.
Then 'manually', enter your mapping. And Save.

mgbolts

Thank you all for your quick assistance.

@gertjan Yes, VPN interface is VLAN 125
Good advice ....all VPNEXPESSINTERFACE rules are deleted now.

I have switched NAT to Hybrid, see manual rule attached. Screenshot 2022-12-20 032350.png

I have tested after these changes. The traffic does not go through expressvpn gateway, goes via normal WAN.

I deleted this FW rule on VPN interface just to make sure some other rule was not allowing traffic to pass...all traffic blocked.

Any suggestions?

Bob.Dig

@mgbolts said in VPN Policy Routing:

I deleted this FW rule on VPN interface just to make sure some other rule was not allowing traffic to pass...all traffic blocked.

Which Rule exactly? Show us the rules again on that VPN Interface and does ping work via pfSense itself?

mgbolts

@bob-dig Thank you

Pls see below: VPN is the local 125 VLAN interface. The long ping is typical for a Aus>Switzerland vpn tunnel.

Screenshot 2022-12-20 041313.png

Screenshot 2022-12-20 042821.png

Screenshot 2022-12-20 042905.png

Screenshot 2022-12-20 042938.png

Screenshot 2022-12-20 042050.png

Screenshot 2022-12-20 042133.png

Screenshot 2022-12-20 042309.png

Bob.Dig

@mgbolts said in VPN Policy Routing:

Pls see below: VPN is the local 125 VLAN interface. The long ping is typical for a Aus>Switzerland vpn tunnel.

So it does work. What you have shown is the expected result, all three of them!

So what is not working you have to describe in much greater detail.
If I should guess it would be that your clients on "vpn" don't have a working dns configuration because you have not allowed it in the rules.

Gertjan

@mgbolts

Whenever you edit anything related to (VPN) policy routing, do not forget to do a Status > Filter reload.
Or Diagnostics > States and reset all states (this will even disconnect you from the GUI)