[solved] traffic in VLAN not routed to default GW unless set as GW in FW rule

Banane

Hi everybody,

i set up two VLAN on the LAN interface.

VLAN1 should be used for the common internet traffic (WAN_PPPoE), VLAN2 for an openvpn-connection.

WAN_PPPoE is set as the default gateway

Now i have the problem, that traffic in VLAN1 is not routed to WAN unless WAN_PPPoE is set as the gateway in a firewall rule.

What can I check to ensure the default route is working correctly ? Actually I don´t want to set up a static route (or is this needed ? )

Kind Regards,
Paul

heper

to verify check the 0.0.0.0 route in diagnostics–>routes

is the openvpn connection from one of the popular vpn providers?
if yes:
-check route-nopull in the vpn client configuration page.
-assign an interface to your openvpn connection (using interfaces->assign, then enable the interface - but leave everything blank)

--- you should now have a gateway for dsl & vpn. the default one, will apply when none in specified.

Banane

Thanks for the hint, you are right, the problem is directly related to the openvpn client \ 2nd Gateway.

When I stop the openvpn service, I got back the old state.

I will try around and response later :)

Banane

I don´t know what´s wrong.

I followed those guides:

https://doc.pfsense.org/Create-OpenVPN-client-to-TUVPNcom.pdf
http://www.ibvpn.com/billing/knowledgebase/63/OpenVPN-setup-on-pfSense-firewall.html

Immediately when the openvpn client connects this route is added to the routing table:

0.0.0.0/1 -> "vpn ip"

route-nopull is set.

heper

could you post some screenshots of the client configuration page (blank out the irrelevant sensitive stuff).

also, are you running a fairly recent version?

Banane

thanks for your help, here are screenshots of:

global interface configuration
interface VLAN1
interface VLAN2
FW rules VLAN 1
FW rules VLAN 2
NAT rules
OPVPN configuration

I'm runnig the latest stable 2.2.6 version.

the fw rule screenshot still has the gateway set, otherwise I couldn´t access the internet.

Additional openvpn parameters:


resolv-retry infinite 
redirect-gateway def1
persist-key
persist-tun
cipher AES-256-CBC
auth MD5
keepalive 5 60
ping-timer-rem
explicit-exit-notify 2
script-security 2
remote-cert-tls server
route-delay 5
tun-mtu 1500 
fragment 1300
mssfix 1300
verb 4
comp-lzo

FW-VLAN1.png_thumb

FW-VLAN2.png_thumb

interfaces.png_thumb

interface-VLAN1.png_thumb

interface-VLAN2.png_thumb

Nat.png_thumb

opvpn1.png_thumb

opvpn2.png_thumb

heper

Tried removing "redirect-gateway def1" ?

Banane

It seems like i couldn´t see the wood for the trees ::).

Thank you very much for the help.

I marked the threat as solved

heper

:)
glad you got i sorted