Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Site-to-Site trafic redirection

    Scheduled Pinned Locked Moved OpenVPN
    12 Posts 5 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • RicoR
      Rico LAYER 8 Rebel Alliance
      last edited by

      Could you not just Policy Route his traffic to your main office with Firewall Rules?
      I'd skip that redirect-gateway def1 stuff if possible...

      -Rico

      M 1 Reply Last reply Reply Quote 0
      • N
        nginfo
        last edited by

        Hi Rico,

        And how would set that rule?

        When I try anything else then redirect-gateway, I either lost internet or nothing is route through the vpn tunnel.

        Am having headake on that one.

        Thanks,
        nginfo

        K 1 Reply Last reply Reply Quote 0
        • K
          Konstanti @nginfo
          last edited by Konstanti

          @nginfo Hi
          https://www.netgate.com/docs/pfsense/routing/directing-traffic-with-policy-routing.html

          On the client side , on the Lan interface, you need to create a rule that will redirect traffic from client through the openvpn tunnel. To do this, change the default gateway to openvpn gateway.
          0_1547748474148_d04bd977-d675-4e07-83b8-392e4793b331-image.png

          This rule must be located above the other rules.

          0_1547748492227_54507fbe-7cd9-4c94-af79-6bf17d1b4ef8-image.png

          In this case, the "redirect-gateway def1;" option is not needed

          1 Reply Last reply Reply Quote 1
          • RicoR
            Rico LAYER 8 Rebel Alliance
            last edited by

            And check out https://www.netgate.com/resources/videos/openvpn-as-a-wan-on-pfsense.html for more detailed information.

            -Rico

            1 Reply Last reply Reply Quote 1
            • N
              nginfo
              last edited by

              Hi guys,

              thank you for the links. It seems to work fine now.

              Do you know if it is possible to block internet if the VPN is down?

              Rightnow if the VPN_gateway is down, trafic goes through WAN_gateway and the client site don't want that.

              Thanks,
              nginfo

              1 Reply Last reply Reply Quote 0
              • M
                marvosa @Rico
                last edited by marvosa

                @rico said in Site-to-Site trafic redirection:

                Could you not just Policy Route his traffic to your main office with Firewall Rules?
                I'd skip that redirect-gateway def1 stuff if possible...

                Agreed. Looks like you may have eventually done it already, but what you'd want to do is assign the client tunnel to an interface, policy route traffic sourced from the client-end to the headend and then NAT it out the headend WAN.

                Do you know if it is possible to block internet if the VPN is down?
                Rightnow if the VPN_gateway is down, trafic goes through WAN_gateway and the client site don't want that.

                There may be several ways of doing this, but one way is to simply add a block all immediately below the policy route line.

                1 Reply Last reply Reply Quote 0
                • RicoR
                  Rico LAYER 8 Rebel Alliance
                  last edited by

                  OpenVPN Kill Switch: https://forum.netgate.com/topic/67692/openvpn-kill-switch/6

                  -Rico

                  1 Reply Last reply Reply Quote 0
                  • DerelictD
                    Derelict LAYER 8 Netgate
                    last edited by

                    This summarizes it:

                    https://www.infotechwerx.com/blog/Prevent-Any-Traffic-VPN-Hosts-Egressing-WAN

                    You need to mark the traffic on the firewall rules that policy route the traffic to the VPN and block traffic with that mark outbound on WAN.

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • N
                      nginfo
                      last edited by

                      Hello,

                      thank you everyone for your help. Everything seems to work perfectly now.

                      I fixed the problem by checking Skip rules when gateway is down (System, Advanced, Miscellaneous)

                      Thank you again.
                      Nginfo

                      1 Reply Last reply Reply Quote 0
                      • DerelictD
                        Derelict LAYER 8 Netgate
                        last edited by

                        Yeah. I don't like that solution but if it works for you, great. Be sure you have a block rule after that or it will just go out WAN.

                        Chattanooga, Tennessee, USA
                        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                        N 1 Reply Last reply Reply Quote 0
                        • N
                          nginfo @Derelict
                          last edited by

                          @derelict Yes I do. I took it from Netgate video.

                          so far it is the only solution that worked for me, so I'll take it :)

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.