Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Multi-WAN, OpenVPN, and routes/iroutes

    Scheduled Pinned Locked Moved OpenVPN
    2 Posts 1 Posters 845 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • DerelictD
      Derelict LAYER 8 Netgate
      last edited by

      I was hoping to be able to control what networks my OpenVPN clients routed back over the VPN by pushing routes to them from the server config.

      This works until a client has Multi-WAN.

      With Multi-WAN, (a gateway group defined as the gateway on LAN rules) the negate_networks alias is only populated with the networks listed in the client openvpn config under IPv4 Remote Network/s.  Any routes pushed to the client by the server, but not specifically configured as a remote network in the client, are routed out the gateway group and not over openvpn even though the proper route to the openvpn instance (ie. ovpnc1) exists.

      Did my testing on 2.1.5.

      Chattanooga, Tennessee, USA
      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
      Do Not Chat For Help! NO_WAN_EGRESS(TM)

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        This is a known limitation, huh.

        https://doc.pfsense.org/index.php/Multi-WAN_2.0#Policy_Route_Negation

        I guess a reasonable practice would be to always define at least a management network in IPv4 Remote Networks on your client so you can get in and add other networks if you have to go Multi-WAN on the client side.

        Something like this also seems reasonable and seems to work.  (Screenshots aren't uploading):

        
IPv4 * 	LAN net 	* 	RFC1918		* 	* 	none 	  	Add private destinations to negate for VPN traffic
IPv4 * 	LAN net 	* 	* 	* 	WANGROUP 	none 	  	Default allow LAN to any rule

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.