Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Route one IP address outside the VPN

    Scheduled Pinned Locked Moved Firewalling
    5 Posts 3 Posters 435 Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • BlyB Offline
      Bly
      last edited by

      Hi all, I'd like one single IP from remote side of a VPN being accessed from outside the VPN, how can I do that?
      I mean, one remote IP address can be accessed from inside the VPN and from WAN both. I'd like, to access this only IP, go throgh the WAN and it not being routed to the VPN.

      Using a lan client outside the scope of the vpn, I already can ping the address by the wan side, but if I use a client within vpn scope, ping goes troughthe vpn.
      Actual setup is:

      • all my lan subnet addresses in 192.168.1.0/28 can access any address 1.2.3.0/18 through the vpn correctly
      • the IP 1.2.3.4 can be accessed by wan too
      • if I use a client with ip 192.168.1.112 I go to 1.2.3.4 through the WAN (no vpn involved)
      • I'd like my clients within 192.168.1.0/28 access 1.2.3.4 through WAN and not vpn.
        Can someone help me understand what the correct setup I have to do? TIA!
      1 Reply Last reply Reply Quote 0
      • johnpozJ Offline
        johnpoz LAYER 8 Global Moderator
        last edited by

        use policy routing to send your client either through the vpn or out your normal gateway for specific destinations.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 25.07.1 | Lab VMs 2.8, 25.07.1

        1 Reply Last reply Reply Quote 0
        • BlyB Offline
          Bly
          last edited by Bly

          I added two floating rules:
          IF: lan, source: any, direction: out
          destination: 1.2.3.4
          gateway: changed from default to gw_wan
          and
          IF: WAN, source: 1.2.3.4, direction: in
          destination: any
          gateway: gw_wan
          but this set of rules doesn't give the result I expect. I'm sure I'm missing something.

          Edit: I have only one gateway. I guess changing from default to gw_wan doesn't change nothing.

          1 Reply Last reply Reply Quote 0
          • johnpozJ Offline
            johnpoz LAYER 8 Global Moderator
            last edited by

            Don't; put it on filter out in floating.. Its a little late for that... You should put the rule on the interface the traffic enters pfsense on.

            Keep in mind that rules are evaluated top down, first rule to trigger wins, no other rules are evaluated

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 25.07.1 | Lab VMs 2.8, 25.07.1

            1 Reply Last reply Reply Quote 0
            • K Offline
              kpa
              last edited by

              More specifically, it's not possible to redirect traffic that is leaving via an interface so any floating rule acting on outgoing traffic (from the point of view of an interface) can't change the routing decisions that have already been made. This is a FreeBSD specific limitation in the PF packet filter, it doesn't exist in OpenBSD's version of PF.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.