How to let ONLY ONE interface use VPN?
-
If you disable outbound NAT on an interface you disable outbound NAT on an interface. If you need outbound NAT on that interface that breaks it. Why is this surprising?
-
Post what you have done. Far easier than trying to guess.
As my configuration is now, I have an OpenVPN client configured per the link in the original post.
I have hybrid outbound NAT rules (manual rules configured for VPN interface).
My firewall rules on the interface do not currently specify a gateway as it was not working when I specified WAN gateway.
I have no gateway groups configured and do not have "don't pull routes" selected.
In this configuration all interfaces work but all interfaces also route all traffic through the VPN.
-
Screen shots. Real data. Not interested in what you think you have done. Interested in what you have done.
Get your stuff into a mode where you THINK it should be working and post it.
Oh, and this: https://forum.pfsense.org/index.php?topic=120295.0
-
If you disable outbound NAT on an interface you disable outbound NAT on an interface. If you need outbound NAT on that interface that breaks it. Why is this surprising?
Well this is all new to me but it surprised me because the automatic outbound NAT rules still included the subnet on the WAN interface, all I was doing was disabling the outbound NAT rule for the VPN interface (since I don't want that subnet to use the VPN). So I thought that by doing that it would simply use the WAN and skip the VPN.
I posted a picture as to what I'm talking about. I blacked out everything but the rules for the subnet I'm trying to bypass the VPN with. The top rules under mappings are the ones I was disabling. I thought that since the subnet was included under the bottom automatic rules that it would still NAT over the WAN interface?
-
It DOES NOT MATTER what subnets are included in outbound NAT rules. They only have an effect when traffic IS ROUTED OUT THAT INTERFACE by policy routing or the routing table. They DO NOT have ANY bearing on what traffic goes where. Only what NAT is performed when traffic flows that way.
-
Screen shots. Real data. Not interested in what you think you have done. Interested in what you have done.
Get your stuff into a mode where you THINK it should be working and post it.
Oh, and this: https://forum.pfsense.org/index.php?topic=120295.0
Here are some more screens of what I have. The Outbound NAT rules in the top mappings section of the other screenshot I posted are currently disabled.
This is what I thought would work, but no internet routes on the interface that I want to bypass the VPN in this configuration. I get a "this site took too long to respond error".
-
It DOES NOT MATTER what subnets are included in outbound NAT rules. They only have an effect when traffic IS ROUTED OUT THAT INTERFACE by policy routing or the routing table. They DO NOT have ANY bearing on what traffic goes where. Only what NAT is performed when traffic flows that way.
So woul this mean that I can disable those manual outbound NAT rules safely (as they aren't ever going to do anything that I want). And then policy route all traffic on the interface I wan to bypass the VPN to my WAN interface (and the automatic outbound NAT rules would handle the NAT through WAN)?
If I understood that correctly then it sounds like my issue is that I'm not correctly doing policy routing? I've tried adding my WAN interface as the gateway on all of my rules on my "GUEST" interface (the one I want to bypass VPN), but then the internet simply doesn't work.
-
Your pass rule passing traffic to NETWAN is TCP-only. That is almost certainly not what you want. Try protocol any there.
I see nothing that policy routes traffic out PIAVPN_GW. What traffic do you expect to be routed that way?
Traffic to your Outgoing Ports will go out the default gateway, not the VPN.
-
Your pass rule passing traffic to NETWAN is TCP-only. That is almost certainly not what you want. Try protocol any there.
I see nothing that policy routes traffic out PIAVPN_GW. What traffic do you expect to be routed that way?
Traffic to your Outgoing Ports will go out the default gateway, not the VPN.
I rearranged it like this applied and reset state tables but am still getting the same error?
-
I see nothing that policy routes traffic out PIAVPN_GW. What traffic do you expect to be routed that way?
I don't want anything on this interface to go through the PIAVPN gateway, I want everything on this interface to completely bypass the VPN.
Currently everything goes through PIAVPN Gateway (or doesn't work at all). I haven't needed to use any policy routing for it to work that way, everything just goes through the VPN.
-
Be more specific. What error? Exactly what are you trying to connect to from where?
It matters what DNS servers your clients are being told to use.
Enable DON'T PULL ROUTES in the OpenVPN Client Config.
It is usually better to route the traffic you want to go over the VPN over the VPN, not route the traffic you don't the other way.
-
Be more specific. What error? Exactly what are you trying to connect to from where?
It matters what DNS servers your clients are being told to use.
Enable DON'T PULL ROUTES in the OpenVPN Client Config.
It is usually better to route the traffic you want to go over the VPN over the VPN, not route the traffic you don't the other way.
I tried enabling don't pull routes. That kills the internet on both of my interfaces. It gives an identical "too long to respond" error on both interfaces.
I attached pictures of the error and the DNS server settings.
-
It is usually better to route the traffic you want to go over the VPN over the VPN, not route the traffic you don't the other way.
I would prefer that as well. The guide that I used to configure my VPN on pfsense just routes everything through the VPN.
-
Be more specific. What error? Exactly what are you trying to connect to from where?
On the "networkGUEST" interface there is a Wifi AP. I'm just testing connectivity using a laptop connected to that wifi network by going to websites and checking to see if programs are able to use the internet (i.e. cloud programs, AV, etc.).
-
I tried enabling don't pull routes. That kills the internet on both of my interfaces. It gives an identical "too long to respond" error on both interfaces.
No idea what you've done then. Your WAN_GW should be marked as the default gateway. Disabling redirect gateway on the VPN client should not impact WAN at all.
Love these internet walkthroughs.
Learn how to troubleshoot exactly what is broken using ping, dig/drill, telnet, etc. If you can identify exactly what is failing, maybe there's a chance at getting some forum help.
https://doc.pfsense.org/index.php/Connectivity_Troubleshooting
Oh, and again, there's a hangout on Connectivity Troubleshooting too: https://portal.pfsense.org/webcasts/index.php?video=172174964
Wired, wireless, doesn't matter. Those aren't specifics.
-
WAN Gateway is marked as default.
I don't have a membership for that video.
-
Maybe that should be remedied. They really do cover everything you're trying to do.
-
I have posted a Bounty for this https://forum.pfsense.org/index.php?topic=120371.msg665710#msg665710, so I'm willing to pay for the solution. But would prefer to pay someone that can remedy my problem specifically, instead of paying for access to a video that may or may not help solve my specific problem.
If you're willing let me know what you feel a reasonable price is and I would be happy to open up a TeamViewer screenshare for you or provide you screenshots of whatever you like to solve the problem (if I can afford you).
-
Any takers?
-
I've now got policy based routing kind of working.
I turned on don't pull routes and put a pass any rule at the top of my rules on LAN that selects the VPN interface, that successfully has the internet working and using the VPN IP, but now my DNS is leaking. Not really a big deal to me but I don't know why? I've entered my VPN providers DNS Servers both in general setup for the VPN Interface and under the DHCP servers. But now dnsleaktest shows my ISP DNS, why?
But my other interface (Guest interface) that I don't want to access the VPN still doesn't work. Regardless of whether I set an allow any rule at the top of the rules for default gateway (WAN) or explicitly set it as WAN.
Changing the LAN rule to use the WAN gateway also breaks the internet on that interface.Both gateways are showing UP.
What's going on, again I'm willing to pay a reasonable bounty for this. I just want it fixed and not be dealing with it anymore.
Can open up a TeamViewer screenshare to make it quick and easy for you.
