Traffic not leaving correct gateway

treybeatty

I have a weird issue, my setup has worked fine for quite a while now. But it started acting up today.
All of the traffic on the LAN is leaving through the VPN now, instead of the default gateway. Even if I put lan anywhere up top of the rules. I haven’t made any changes lately to the setup and the default gateway is set correctly. See attached rules. The only way I can get around this is to disable the VPN. Thanks as usual.

viragomann

Presumably you get the default route pushed by the vpn server. Maybe this was changed at the server side.
To avoid that go to the vpn client settings and check "Don't pull routes".

treybeatty

I made those changes and that now directs non vpn out of the default gateway, but now clients on the vpn have no internet.

viragomann

Can you rule out that it's an DNS issue?
You block DNS access to pfSense, so the clients have to use a DNS which is accessible over the vpn.

treybeatty

Allowed DNS and still clients behind VPN have no internet. If I uncheck Don't pull routes, again all traffic goes out the VPN.

viragomann

@treybeatty said in Traffic not leaving correct gateway:

If I uncheck Don't pull routes, again all traffic goes out the VPN.

That's as expected if the server pushes the default route.
If you want to route only traffic of certain devices over the vpn you have to avoid that the server pushes the default route.

Have you tried to access webserver by its IP from concerned clients?
E.g. "ping 8.8.8.8"

treybeatty

Have you tried to access webserver by its IP from concerned clients?
E.g. "ping 8.8.8.8"

Yes, I've tried it, no it doesn't work.

viragomann

If the traffic from the clients is directed over the vpn successfully when the server pushes the default route, it also must work with policy routing.
However, what is the "VPN_Gateway_Group"? Is this really a gateway group? Something messed there?
If you only have one VPN assing an interface to it and select the related gateway in the rule.

treybeatty

However, what is the "VPN_Gateway_Group"? 2 VPN Gatways as failover setup in Gateway Groups.

I'll try to explain better.
If VPN client is connected, all traffic goes out of the VPN Gateway.

If VPN client is disconnected, all traffic goes out of the default Gateway as expected.

If Don't pull routes is checked, none of the clients on the VPN side will connect.

Meant to also add, it's been working fine like this for 6 months until this morning.

viragomann

@treybeatty said in Traffic not leaving correct gateway:

If VPN client is disconnected, all traffic goes out of the default Gateway as expected.

I can't see any rule in your screenshot above which allows this traffic. Maybe you have floating rules which match.
Apart from this if you're running 2 vpn client in a gateway group at least one should be connected an time.

Also wondering what's the "HOME net" alias in your rule set. You have "HOME net" and "VPN_Only" (which seems to be the IP for vpn access) on the same interface, one time is "HOME net" source and the other one destination, which makes no sense if both are connected to the same interface.

treybeatty

"If VPN client is disconnected, all traffic goes out of the default Gateway as expected."

Except for VPN_Only which is an Alias listing IP's that should connect behind the VPN.

@viragomann said in Traffic not leaving correct gateway:

Also wondering what's the "HOME net" alias in your rule set. You have "HOME net" and "VPN_Only" (which seems to be the IP for vpn access) on the same interface, one time is "HOME net" source and the other one destination, which makes no sense if both are connected to the same interface.

HOME net is just the name of the LAN interface.
VPN_Only to HOME net rule is so clients behind the VPN can connect to the LAN network.

viragomann

I'm afraid I totally misunderstood your intention up to now.
You're talking about "clients behind the VPN", so it is not a vpn client running on pfSense where you want to direct the VPN_Only IPs over.
You will have to provide some more details about your setup. Also wondering what's interface rules the screenshot shows.

treybeatty

@viragomann
Private Internet Access as VPN provider.
2 VPN clients configured as a gateway group. (VPN_Gateway_Group)
Rules are on the LAN (named HOME).
VPN_Only is an Alias of local IP's to to connect behind Private Internet Access.

Thanks again for all the help

treybeatty

I haven't done anything today, but it started working as it has been.

Thanks.

bcruze

system > routing. is that set correctly?

instead of using the default gateway. i have my default GW set to the tunnel i want it to go out of..