• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

How to bypass VPN for specific ip range??

Scheduled Pinned Locked Moved General pfSense Questions
8 Posts 3 Posters 4.0k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • L
    Live4soccer7
    last edited by Oct 11, 2017, 4:26 AM

    I have a VPN setup on PFsense and it is routing ALL of my traffic as one would expect through the VPN. There are a few instances where I would like to bypass the VPN for a specific IP range or even individual IPs, whichever will work.

    I followed this tutorial on setting it up: https://forum.pfsense.org/index.php?topic=76015.0

    Can someone point me in the right direction on how to achieve this?

    1 Reply Last reply Reply Quote 0
    • L
      Live4soccer7
      last edited by Oct 11, 2017, 5:08 AM

      I have found a way and it works, however it seems that I can only do a single IP at a time in the firewall rules. Is there a way for me to specify a range? For example, 192.168.1.2 through 192.168.1.99?

      I've added a LAN Firewall Rule, chosen pass, advanced gateway and chose the WAN and NOT the vpn. I then chose single/host as the destination and input an IP address. This allowed it to pass by the VPN

      1 Reply Last reply Reply Quote 0
      • D
        Derelict LAYER 8 Netgate
        last edited by Oct 11, 2017, 6:24 AM

        You are bypassing policy routing. That is completely normal:

        https://doc.pfsense.org/index.php/Bypassing_Policy_Routing

        Yes, you can bypass for ranges. Make an alias containing the IP addresses you want to bypass and use that alias as the source address in the firewall rule.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • L
          Live4soccer7
          last edited by Oct 11, 2017, 4:53 PM

          THANKS!! I ended up created about 7-8 individual rules, but I may create an alias as you suggested to clean things up a bit.

          1 Reply Last reply Reply Quote 0
          • V
            Velcro
            last edited by Oct 11, 2017, 9:11 PM

            I would strongly 2nd Derelict…make an alias! Super easy to do and more importantly super easy to maintain.

            1 Reply Last reply Reply Quote 0
            • L
              Live4soccer7
              last edited by Oct 11, 2017, 9:13 PM

              Yup. That's what I did this morning. It was super easy. I created the alias and deleted the individual rules. Now I have a decent IP range that I can either statically assign clients or have the DHCP server give them IPs based on mac address, which I have for about 7 items on the network right now.

              1 Reply Last reply Reply Quote 0
              • D
                Derelict LAYER 8 Netgate
                last edited by Oct 11, 2017, 9:39 PM

                Pro-tip: make things like this fall into a CIDR range so you can not only do it with an alias, but the alias can be simpler.

                Like make your "special" devices addressed as 192.168.1.225 through 192.168.1.254. Then you can just use 192.168.1.224/27

                That makes a lot more sense than using, say, .100 - .150

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • L
                  Live4soccer7
                  last edited by Oct 11, 2017, 9:46 PM

                  You've lost me now  ;D

                  I was just wondering last night what the significance of the suffix- 24, 32 etc…

                  1 Reply Last reply Reply Quote 0
                  4 out of 8
                  • First post
                    4/8
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                    This community forum collects and processes your personal information.
                    consent.not_received