Policy based routing and VPN again
-
tl;dr.
To me, best option is to create an alias with machine's ips that should use VPN. Then create the rules in lan interface and set gateway on that rules. Take care about the order. Don't forget that as soon as a rule matches, it will be applied.
Connections initiated from outside, will not pass to the network as long as you don't nat them. Connections initiated from inside will go thru that gateway as long as it's initiated from one ip in that alias.
Word for word, my config says that's what I'm doing
pass in quick on $LAN $GWAirVPN inet from $transmission to any tracker 1493862877 keep state label "USER_RULE"
"$transmission" is myAlias table list of hosts that are supposed to use the "$GWAirVPN" gateway on "$LAN" as the FIRST rule.
When someone says
To me, best option is to create an alias with machine's ips that should use VPN. Then create the rules in lan interface and set gateway on that rules. Take care about the order. Don't forget that as soon as a rule matches, it will be applied.
Am I not doing that? I'm confused, as I thought that's what I was doing. I must be missing something.
"everything coming in through the vpn is trying to go back out the WAN"
Well then sounds like your issue is on the remote side..
How could this be on the Remote side? Just like the other topic with a similar issue, this is a VPN service. If I set my default gateway to that of the VPN service, all port forwarding responses and initiated traffic goes through the VPN as one would assume should work.
-
tl;dr.
To me, best option is to create an alias with machine's ips that should use VPN. Then create the rules in lan interface and set gateway on that rules. Take care about the order. Don't forget that as soon as a rule matches, it will be applied.
Connections initiated from outside, will not pass to the network as long as you don't nat them. Connections initiated from inside will go thru that gateway as long as it's initiated from one ip in that alias.
Word for word, my config says that's what I'm doing
pass in quick on $LAN $GWAirVPN inet from $transmission to any tracker 1493862877 keep state label "USER_RULE"
"$transmission" is myAlias table list of hosts that are supposed to use the "$GWAirVPN" gateway on "$LAN" as the FIRST rule.
When someone says
To me, best option is to create an alias with machine's ips that should use VPN. Then create the rules in lan interface and set gateway on that rules. Take care about the order. Don't forget that as soon as a rule matches, it will be applied.
Am I not doing that? I'm confused, as I thought that's what I was doing. I must be missing something.
Well… to be fair, I did put tl;dr there didn't I? ;)
Can you post the GUI rule?
-
that Tl;dr was too far up, I typically skip to the bottom to see if it was there. bleh.
![Screenshot from 2017-05-26 09-07-54.png](/public/imported_attachments/1/Screenshot from 2017-05-26 09-07-54.png)
![Screenshot from 2017-05-26 09-07-54.png_thumb](/public/imported_attachments/1/Screenshot from 2017-05-26 09-07-54.png_thumb) -
Seems ok to me. Do you have NAT rules (port forward to inside ip) also?
-
Added an allow rule to see if that would help, not like the results make sense anyways.
![Screenshot from 2017-05-26 09-48-46.png](/public/imported_attachments/1/Screenshot from 2017-05-26 09-48-46.png)
![Screenshot from 2017-05-26 09-48-46.png_thumb](/public/imported_attachments/1/Screenshot from 2017-05-26 09-48-46.png_thumb) -
Post a pic of your NAT rules.
-
Simple stuff
![Screenshot from 2017-05-26 13-11-18.png](/public/imported_attachments/1/Screenshot from 2017-05-26 13-11-18.png)
![Screenshot from 2017-05-26 13-11-18.png_thumb](/public/imported_attachments/1/Screenshot from 2017-05-26 13-11-18.png_thumb) -
I'm no pro, and maybe it's different for your config. But based on my working config, I think the "simple stuff" is where you messed up.
What about localhost?
My outbound NAT looks more like this.
VPN 127.0.0.0/8 * * 500 VPN Address * static=yes
VPN 127.0.0.0/8 * * * VPN Address * static=no
VPN (subnet a,b,c, etc) * * 500 VPN Address * static=yes
VPN (subnet a,b,c, etc) * * * VPN Address * static=no
That's with Hybrid outbound.
-
I checked this, added in the nat rule.
Still no work. Nat rules are working as far as I can tell.
![Screenshot from 2017-05-26 14-54-48.png](/public/imported_attachments/1/Screenshot from 2017-05-26 14-54-48.png)
![Screenshot from 2017-05-26 14-54-48.png_thumb](/public/imported_attachments/1/Screenshot from 2017-05-26 14-54-48.png_thumb) -
For giggles, I added in a am AIRVPN_TAG parameter on the port forwarded rules in the AIRVPN ruleset, and a floating rule of "any any any with tagged AIRVPN_TAG" to set the gateway to GW AIRVPN, and still, traffic is trying to go out the WAN.