Policy based routing and VPN again
-
That's what I thought, but what about port forwarding, everything coming in through the vpn is trying to go back out the WAN, but the device can ping out through the VPN without a problem, all traffic originating from the device is going through the VPN tunnel as expected, but if the traffic is initiated from VPN, it tries to go back out the WAN.
There are no entries in the negate_networks.
In the rules.debug gateways are set, and assigned to my two rules in in the $LAN, and the 2 rules: Everything for the 2 devices is configured for going out the vpn. Ideas?
pass in quick on $LAN $GWAirVPN inet from $transmission to any tracker 1493862877 keep state label "USER_RULE" block in log quick on $LAN inet from $transmission to any tracker 1493864751 label "USER_RULE" pass in quick on $LAN inet proto tcp from any to 192.168.0.1 port 8080 tracker 1478203523 flags S/SA keep state label "USER_RULE: NAT " pass in quick on $LAN inet from any to any tracker 0100000101 keep state label "USER_RULE: Default allow LAN to any rule" pass in quick on $AIRVPN $GWAirVPN inet proto { tcp udp } from any to 192.168.0.47 port 58910 tracker 1493878657 keep state label "USER_RULE: NAT Transmission The Mixing Bowl" pass in quick on $AIRVPN $GWAirVPN inet proto { tcp udp } from any to 192.168.0.44 port 57695 tracker 1493878050 keep state label "USER_RULE: NAT Transmission Radarr/Sonarr" pass in quick on $AIRVPN reply-to ( ovpnc3 10.4.10.131 ) inet from any to any tracker 1493886673 keep state label "USER_RULE"
-
tl;dr.
To me, best option is to create an alias with machine's ips that should use VPN. Then create the rules in lan interface and set gateway on that rules. Take care about the order. Don't forget that as soon as a rule matches, it will be applied.
Connections initiated from outside, will not pass to the network as long as you don't nat them. Connections initiated from inside will go thru that gateway as long as it's initiated from one ip in that alias.
-
"everything coming in through the vpn is trying to go back out the WAN"
Well then sounds like your issue is on the remote side..
-
tl;dr.
To me, best option is to create an alias with machine's ips that should use VPN. Then create the rules in lan interface and set gateway on that rules. Take care about the order. Don't forget that as soon as a rule matches, it will be applied.
Connections initiated from outside, will not pass to the network as long as you don't nat them. Connections initiated from inside will go thru that gateway as long as it's initiated from one ip in that alias.
Word for word, my config says that's what I'm doing
pass in quick on $LAN $GWAirVPN inet from $transmission to any tracker 1493862877 keep state label "USER_RULE"
"$transmission" is myAlias table list of hosts that are supposed to use the "$GWAirVPN" gateway on "$LAN" as the FIRST rule.
When someone says
To me, best option is to create an alias with machine's ips that should use VPN. Then create the rules in lan interface and set gateway on that rules. Take care about the order. Don't forget that as soon as a rule matches, it will be applied.
Am I not doing that? I'm confused, as I thought that's what I was doing. I must be missing something.
"everything coming in through the vpn is trying to go back out the WAN"
Well then sounds like your issue is on the remote side..
How could this be on the Remote side? Just like the other topic with a similar issue, this is a VPN service. If I set my default gateway to that of the VPN service, all port forwarding responses and initiated traffic goes through the VPN as one would assume should work.
-
tl;dr.
To me, best option is to create an alias with machine's ips that should use VPN. Then create the rules in lan interface and set gateway on that rules. Take care about the order. Don't forget that as soon as a rule matches, it will be applied.
Connections initiated from outside, will not pass to the network as long as you don't nat them. Connections initiated from inside will go thru that gateway as long as it's initiated from one ip in that alias.
Word for word, my config says that's what I'm doing
pass in quick on $LAN $GWAirVPN inet from $transmission to any tracker 1493862877 keep state label "USER_RULE"
"$transmission" is myAlias table list of hosts that are supposed to use the "$GWAirVPN" gateway on "$LAN" as the FIRST rule.
When someone says
To me, best option is to create an alias with machine's ips that should use VPN. Then create the rules in lan interface and set gateway on that rules. Take care about the order. Don't forget that as soon as a rule matches, it will be applied.
Am I not doing that? I'm confused, as I thought that's what I was doing. I must be missing something.
Well… to be fair, I did put tl;dr there didn't I? ;)
Can you post the GUI rule?
-
that Tl;dr was too far up, I typically skip to the bottom to see if it was there. bleh.
![Screenshot from 2017-05-26 09-07-54.png](/public/imported_attachments/1/Screenshot from 2017-05-26 09-07-54.png)
![Screenshot from 2017-05-26 09-07-54.png_thumb](/public/imported_attachments/1/Screenshot from 2017-05-26 09-07-54.png_thumb) -
Seems ok to me. Do you have NAT rules (port forward to inside ip) also?
-
Added an allow rule to see if that would help, not like the results make sense anyways.
![Screenshot from 2017-05-26 09-48-46.png](/public/imported_attachments/1/Screenshot from 2017-05-26 09-48-46.png)
![Screenshot from 2017-05-26 09-48-46.png_thumb](/public/imported_attachments/1/Screenshot from 2017-05-26 09-48-46.png_thumb) -
Post a pic of your NAT rules.
-
Simple stuff
![Screenshot from 2017-05-26 13-11-18.png](/public/imported_attachments/1/Screenshot from 2017-05-26 13-11-18.png)
![Screenshot from 2017-05-26 13-11-18.png_thumb](/public/imported_attachments/1/Screenshot from 2017-05-26 13-11-18.png_thumb) -
I'm no pro, and maybe it's different for your config. But based on my working config, I think the "simple stuff" is where you messed up.
What about localhost?
My outbound NAT looks more like this.
VPN 127.0.0.0/8 * * 500 VPN Address * static=yes
VPN 127.0.0.0/8 * * * VPN Address * static=no
VPN (subnet a,b,c, etc) * * 500 VPN Address * static=yes
VPN (subnet a,b,c, etc) * * * VPN Address * static=no
That's with Hybrid outbound.
-
I checked this, added in the nat rule.
Still no work. Nat rules are working as far as I can tell.
![Screenshot from 2017-05-26 14-54-48.png](/public/imported_attachments/1/Screenshot from 2017-05-26 14-54-48.png)
![Screenshot from 2017-05-26 14-54-48.png_thumb](/public/imported_attachments/1/Screenshot from 2017-05-26 14-54-48.png_thumb) -
For giggles, I added in a am AIRVPN_TAG parameter on the port forwarded rules in the AIRVPN ruleset, and a floating rule of "any any any with tagged AIRVPN_TAG" to set the gateway to GW AIRVPN, and still, traffic is trying to go out the WAN.