[solved] traffic in VLAN not routed to default GW unless set as GW in FW rule
-
Hi everybody,
i set up two VLAN on the LAN interface.
VLAN1 should be used for the common internet traffic (WAN_PPPoE), VLAN2 for an openvpn-connection.
WAN_PPPoE is set as the default gateway
Now i have the problem, that traffic in VLAN1 is not routed to WAN unless WAN_PPPoE is set as the gateway in a firewall rule.
What can I check to ensure the default route is working correctly ? Actually I don´t want to set up a static route (or is this needed ? )
Kind Regards,
Paul -
to verify check the 0.0.0.0 route in diagnostics–>routes
is the openvpn connection from one of the popular vpn providers?
if yes:
-check route-nopull in the vpn client configuration page.
-assign an interface to your openvpn connection (using interfaces->assign, then enable the interface - but leave everything blank)--- you should now have a gateway for dsl & vpn. the default one, will apply when none in specified.
-
Thanks for the hint, you are right, the problem is directly related to the openvpn client \ 2nd Gateway.
When I stop the openvpn service, I got back the old state.
I will try around and response later :)
-
I don´t know what´s wrong.
I followed those guides:
https://doc.pfsense.org/Create-OpenVPN-client-to-TUVPNcom.pdf
http://www.ibvpn.com/billing/knowledgebase/63/OpenVPN-setup-on-pfSense-firewall.htmlImmediately when the openvpn client connects this route is added to the routing table:
0.0.0.0/1 -> "vpn ip"
route-nopull is set.
-
could you post some screenshots of the client configuration page (blank out the irrelevant sensitive stuff).
also, are you running a fairly recent version?
-
thanks for your help, here are screenshots of:
- global interface configuration
- interface VLAN1
- interface VLAN2
- FW rules VLAN 1
- FW rules VLAN 2
- NAT rules
- OPVPN configuration
I'm runnig the latest stable 2.2.6 version.
the fw rule screenshot still has the gateway set, otherwise I couldn´t access the internet.
Additional openvpn parameters:
resolv-retry infinite redirect-gateway def1 persist-key persist-tun cipher AES-256-CBC auth MD5 keepalive 5 60 ping-timer-rem explicit-exit-notify 2 script-security 2 remote-cert-tls server route-delay 5 tun-mtu 1500 fragment 1300 mssfix 1300 verb 4 comp-lzo
-
Tried removing "redirect-gateway def1" ?
-
It seems like i couldn´t see the wood for the trees ::).
Thank you very much for the help.
I marked the threat as solved
-
:)
glad you got i sorted