Why was all my traffic routed through VPN
-
Hello Everybody,
Today I configured my pfSense box to be an OpenVPN client for ProtonVPN. After I had set everything up and created a rule that only the traffic of one computer be routed through the VPN interface, I noticed that traffic from all connected devices was being routed through VPN.
The Firewall rule set was as follows:Protocol Source Port Destination Port Gateway Queue Schedule Description
IPv4* 192.168.3.6 * * * ProtonVPN_DHCP none Desktop - Traffic to VPN
IPv4* LAN net * * * * none Default allow LAN to any rule
IPv6 LAN net * * * * none Default LAN IPv6 to any ruleI then managed to rectify the problem by editingthe default allow LAN to any rule and changing the gateway to GW_WAN:
Protocol Source Port Destination Port Gateway Queue Schedule Description
IPv4* 192.168.3.6 * * * ProtonVPN_DHCP none Desktop - Traffic to VPN
IPv4* LAN net * * * GW_WAN none Default allow LAN to any rule
IPv6 LAN net * * * * none Default LAN IPv6 to any ruleWould someone please be able to explain to me why that happened? Why was the traffic from all connected devices routed through VPN, and not just the traffic for the desktop PC (192.168.3.6)?
-
Presumably the vpn server pushes the default route to you. To prevent that go to the client settings and check "Don't pull routes".
-
Hi viragomann,
Thanks for your reply. I have ticked "Don't pull routes" in the VPN client settings now and set the default GW for the " Default allow LAN to any" rule to any (*) and now the traffic for my desktop computer is not being routed through the VPN anymore.
This is my current firewall ruleset:Protocol Source Port Destination Port Gateway Queue Schedule Description
IPv4* 192.168.3.6 * * * ProtonVPN_DHCP none Desktop - Traffic to VPN
IPv4* LAN net * * * * none Default allow LAN to any rule
IPv6 LAN net * * * * none Default LAN IPv6 to any ruleAny idea why this might be happening? Are there now any static routes I need to add?
-
and now the traffic for my desktop computer is not being routed through the VPN anymore.
You desktop computer is 192.168.3.6?
Since you have the vpn gateway set in the rule for its upstream traffic, it should go out to vpn, at least IPv4 traffic.Consider that new rules doesn't affect existing connections. You'll have to reset states.
-
The desktop is indeed 192.168.3.6 and yes, I did reset the state table when I changed the rules. :)
I found what the problem was. I tried ticking the "Don't pull routes" routes box again. I then noticed that my ProtonVPN gateway in System > Routing (pfSense 2.4 btw) did not have a gateway and monitor IP, so I restated the OpenVPN service, which fixed the issue as it was then given a gateway and monitor IP again.
This is the current rule set and it works perfectly:
Protocol Source Port Destination Port Gateway Queue Schedule Description
IPv4* 192.168.3.6 * * * ProtonVPN_DHCP none Desktop - Traffic to VPN
IPv4* LAN net * * * * none Default allow LAN to any rule
IPv6 LAN net * * * * none Default LAN IPv6 to any ruleThanks for your input.