Routing traffic outside PIA? (Kill switch)

Bob.Dig

@Bob-Dig Show us your LAN rules in general.

casperse

I just added this to the WAN firewal rules above:

With the tag.... that didn't help either (Really impressed on how well this stops all traffic, but there must be a way :-)

LAN RULES:

Bob.Dig

@casperse You don't need tagging in the first place and not for the default gateway and your "tagging" is wrong in the LAN Rule, like I already said.
I would advise you to undo all tagging and if everything works just use it for the "Killswitch".

casperse

@Bob-Dig Ok so remove all tagging (Except for the kill switch - that works)
Delete the floating rule for this
Should I keep both the WAN and LAN rule? (Without the tagging)
I manually created both of them should the WAN be auto created?

Again thanks for your patience!

Bob.Dig

@casperse You don't need the wan-rule.

casperse

Ok I have deleted all the rules and only kept the LAN rule
(Gateway default is set to WAN)

I still get connection through the OpenVPN tunnel from my test PC : 192.168.0.14
Only if I disable the kill switch and stop the VPN service then I will get the WAN IP?

There is something with that floating rule working as a kill switch that breaks this LAN firewall rule

casperse

Update: Disabling the floating "Kill switch" rule didn't make any difference
it still goes through the OpenVPN and not the WAN IP?

Bob.Dig

@casperse You used the tags the wrong way, you have to tag on LAN and used tagged on WAN. Any maybe there is more not ok.
I wonder why your Killswitch worked in the first place.

casperse

Okay you said no Tags :-)

I have just created two rules now (Just like used for the VPN in the video in the first post)

1. LAN Rule with TAG:
   

LAN rule in details:

And the Floating rule to allow this traffic setting the TAG:
ABOVE THE KILL SWITCH

Floating rule that reads the TAG:

And this still doesn't work? (The Tags are correct now :-)

Bob.Dig

@casperse So first, this WAN rule should be totally unnecessary because you already had the default gateway in the LAN rule.
But anyway, there seems another problem elsewhere.

Like I said, no tagging, no floating rules, no wan rules at all and make this working first.
Then to the killswitch.

Bob.Dig

Also Reset the firewall state table under DiagnosticsStatesReset States every time you test something.

casperse

@Bob-Dig There is no WAN rule? (Only a LAN and a floating rule for the tag)

The killswitch is using another tag called "vpntraffic" that is why the kill switch works, this is also in each of the LAN rules for the OpenVPN rules (Everything setup like in the video and working)

I just cant get any traffic outside the VPN tunnel.... Tags or no tags

As I said it works if I disable the Openvpn short of doing that it always goes through the VPN?

casperse

@Bob-Dig Finally found the problem....

If I test the above rules using a Laptop and not a virtual VM on my server everything works!

My Unraid server IP is used and shared by the Docker and the same gateway (subnet) Unraid server IP: 192.168.0.6
I have virtual machines VM's on the Unraid server with their own fixed IP like: 192.168.0.18

If I route any traffic through the Pfsense for the server Unraid IP, dockers etc on the 192.168.0.10 it will overrule any traffic coming from my VM having IP: 192.168.0.18 and route everything over the rule set for the Unraid server IP 192.168.0.6
hosting the VM's

So is this only possible to route traffic from my VM's if they have a real physical NIC's that I can passthrough to my VM's?
Or is there some traffic setting in Pfsense that can split this traffic apart?

Bob.Dig

@casperse
Is it a public bridge in the vm or has is something to do with docker?
Anyway, I would start another thread here or in Routing.