How to setup an interface-specific default gateway?

networknotwork

I have two LAN interfaces, 192.168.2.1 and .31.1 on my pfSense VM, with VLAN ID 2 and 31, and two WAN interfaces, my ISP and an OpenVPN client.

I've set the allow any firewall rule on the .31 interface to use the OpenVPN interface as the gateway and it works as expected, whatismyip.com shows the VPN IP address for clients on the .31 subnet, however traffic originating from the pfSense box itself on .31.1 goes out over the WAN interface, like it's bypassing the firewall rule.

How do I redirect this traffic to the OpenVPN interface?

In other words, the OpenVPN interface address should be the default gateway for the .31 interface. I can't use the push routes option in the OpenVPN client settings because I don't want all traffic going out over the VPN, only the .31 subnet.

I found this out when I setup a SOCKS5 proxy that listens on 192.168.2.1:1080 with egress IP 192.168.31.1 and the proxied traffic goes out over my WAN, not my VPN. When I set the egress IP to the OpenVPN interface IP, it works as intended.

viragomann

@networknotwork
The route of packets from pfSense itself follows only the default gateway setting. It doesn't obey any policy routing rule you've added to an interface, even if you use its IP as source, since this rule is only applied to incoming packets on that interface.

So you would have to set the VPN gateway as default.
Since this is not available before the VPN is established, create a gateway failover group and add the VPN as tier 1 and WAN as tier 2. Then set this as default.

To avoid that the VPN is used by the other LAN as well, you'll have to policy route its incoming traffic to the WAN gateway then.