Selective routing via VPN interface

Derelict

Must me configuring your rules wrong because this works every time and does exactly as it's told.

You'll probably have to post screenshots of your rules at least.

Inxsible

Must me configuring your rules wrong because this works every time and does exactly as it's told.

You'll probably have to post screenshots of your rules at least.

Ok. I'll do that later tonight. Thanks for the help.

Inxsible

Looking for more understanding in this, I stumbled across this thread : https://forum.pfsense.org/index.php?topic=105810.0

which seems to be doing exactly what I need. I did the exact same thing and it didn't work. Maybe I have to look at my settings a bit more thoroughly. But in the meantime, I wanted a clarification.

Derelict, in that thread, you advocate not using the Floating rules and simply creating the VPN rule which will tag NO_WAN_EGRESS on the packets that need to go out the VPN interface. Having followed the NordVPN tutorial listed in my first post, it seems like I have accepted a default route to VPN.

Would it be beneficial or simpler to not do it that way and simply create a VPN interface (without doing anything else listed in the NordVPN tutorial) and then using just the Firewall –> Rules --> LAN to create 2 rules. 1 for VPN_devices (tagged with NO_WAN_EGRESS) and 1 for WAN_devices (for my work laptop and my TV)

If so, please let me know. I would rather follow the pfSense way of doing things than following hack-job tutorials that differ with every VPN provider.

Derelict

The NO_WAN_EGRESS tags must be blocked out WAN using a floating rule, so you are misreading, apparently.

The gist is:

If you route traffic for the VPN, tag it at the same time.

Block anything tagged as such from egressing WAN.

Inxsible

Got it. Trying it out now…

Thanks for sticking by me...

Inxsible

I just can't get this going. Here's how I set this up :

Firewall Rule 1 and Firewall Rule 2 are screenshots of how I set up the rule.

Firewall Rule Setup indicates I have that rule above my default VPN rule that goes via the VPN interface.

My alias – wan_devices -- is set up as a Hosts with 1 IP for my work laptop

The minute I save the Firewall rule, my work laptop doesn't get any internet connection. This leads me to believe that the rule is catching the IP correctly. The only thing I can think of now is that the NordVPN tutorial probably set it in a way where nothing goes out of the WAN.

If there is a way to just create a VPN interface and not follow anything in the NordVPN tutorial and simply do this via Firewall rules, then that would be best.

What am I doing wrong ???

![Firewall Rule 1.png](/public/imported_attachments/1/Firewall Rule 1.png)
![Firewall Rule 1.png_thumb](/public/imported_attachments/1/Firewall Rule 1.png_thumb)
![Firewall Rule 2.png](/public/imported_attachments/1/Firewall Rule 2.png)
![Firewall Rule 2.png_thumb](/public/imported_attachments/1/Firewall Rule 2.png_thumb)
![Firewall Rule setup.png](/public/imported_attachments/1/Firewall Rule setup.png)
![Firewall Rule setup.png_thumb](/public/imported_attachments/1/Firewall Rule setup.png_thumb)

luckman212

The 2nd rule is definitely getting hit because it's showing 20 states. Is your Outbound NAT set to auto? Post screenshots of outbound NAT, issue might be there…

Inxsible

Here's the outbound NAT:

![Outbound NAT.png](/public/imported_attachments/1/Outbound NAT.png)
![Outbound NAT.png_thumb](/public/imported_attachments/1/Outbound NAT.png_thumb)

luckman212

Yeah, that's not gonna work… You're NAT'ting everything out your NORDVPN interface. You need to change that to WAN and then add a more restrictive Outbound NAT rule that only rewrites the addresses for your VPN alias group to the NORDVPN address, or you can do it the other way around but the point is you need 2 rules there...

Inxsible

thanks luckman212,

The NAT'ting everything out the NORDVPN interface was done by the tutorial that I followed from NordVPN. I would rather do what is correct than trying to circumvent the NordVPN tutorial. What would be the recommended way?

Do you think I should default everything out my WAN and create an Alias for all my VPN devices or
default everything out my VPN and create an Alias for my WAN devices?

I want only 2 devices out my WAN, rest all via VPN. So option 2 would mean setting static IPs to only 2 devices vs the first option where I would have to set static IPs for almost all my devices.

Should I just "factory reset" my pfSense, in order to get rid of everything that the NordVPN tutorial did and start over in the right way ?

luckman212

You are not "circumventing" anything. The tutorial just doesn't cover your particular case but there is nothing "wrong" about what I am suggesting here. Yes in your case I would go with option #2 - just define your alias for devices that you want to route normally (bypass VPN) and then set up outbound NAT based on that.

Inxsible

Thank you again luckman212. Creating a NAT rule for WAN helped me out. Now i have my work laptop showing me my ISP IP on whatsmyip and other devices on my network showing me my VPN IP.

Exactly what I wanted.

Just a quick question: If I add my TV's IP to my wan_devices alias, that should also allow it to go out via my ISP? At that point I don't have to do anything with NAT rules correct?

luckman212

Correct from this point on you can manage everything through your aliases as long as you do not add any additional network interfaces or VLANs. Glad you got things working!

Inxsible

Wonderful. Thank you again for sticking by a novice like me.