Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How to bypass VPN for specific ip range??

    Scheduled Pinned Locked Moved General pfSense Questions
    8 Posts 3 Posters 4.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      Live4soccer7
      last edited by

      I have a VPN setup on PFsense and it is routing ALL of my traffic as one would expect through the VPN. There are a few instances where I would like to bypass the VPN for a specific IP range or even individual IPs, whichever will work.

      I followed this tutorial on setting it up: https://forum.pfsense.org/index.php?topic=76015.0

      Can someone point me in the right direction on how to achieve this?

      1 Reply Last reply Reply Quote 0
      • L
        Live4soccer7
        last edited by

        I have found a way and it works, however it seems that I can only do a single IP at a time in the firewall rules. Is there a way for me to specify a range? For example, 192.168.1.2 through 192.168.1.99?

        I've added a LAN Firewall Rule, chosen pass, advanced gateway and chose the WAN and NOT the vpn. I then chose single/host as the destination and input an IP address. This allowed it to pass by the VPN

        1 Reply Last reply Reply Quote 0
        • DerelictD
          Derelict LAYER 8 Netgate
          last edited by

          You are bypassing policy routing. That is completely normal:

          https://doc.pfsense.org/index.php/Bypassing_Policy_Routing

          Yes, you can bypass for ranges. Make an alias containing the IP addresses you want to bypass and use that alias as the source address in the firewall rule.

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • L
            Live4soccer7
            last edited by

            THANKS!! I ended up created about 7-8 individual rules, but I may create an alias as you suggested to clean things up a bit.

            1 Reply Last reply Reply Quote 0
            • V
              Velcro
              last edited by

              I would strongly 2nd Derelict…make an alias! Super easy to do and more importantly super easy to maintain.

              1 Reply Last reply Reply Quote 0
              • L
                Live4soccer7
                last edited by

                Yup. That's what I did this morning. It was super easy. I created the alias and deleted the individual rules. Now I have a decent IP range that I can either statically assign clients or have the DHCP server give them IPs based on mac address, which I have for about 7 items on the network right now.

                1 Reply Last reply Reply Quote 0
                • DerelictD
                  Derelict LAYER 8 Netgate
                  last edited by

                  Pro-tip: make things like this fall into a CIDR range so you can not only do it with an alias, but the alias can be simpler.

                  Like make your "special" devices addressed as 192.168.1.225 through 192.168.1.254. Then you can just use 192.168.1.224/27

                  That makes a lot more sense than using, say, .100 - .150

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  1 Reply Last reply Reply Quote 0
                  • L
                    Live4soccer7
                    last edited by

                    You've lost me now  ;D

                    I was just wondering last night what the significance of the suffix- 24, 32 etc…

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.