Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Routing traffic outside PIA? (Kill switch)

    Scheduled Pinned Locked Moved General pfSense Questions
    20 Posts 2 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      casperse @Bob.Dig
      last edited by

      @Bob-Dig Ok so remove all tagging (Except for the kill switch - that works)
      Delete the floating rule for this
      Should I keep both the WAN and LAN rule? (Without the tagging)
      I manually created both of them should the WAN be auto created?

      Again thanks for your patience!

      Bob.DigB 1 Reply Last reply Reply Quote 0
      • Bob.DigB
        Bob.Dig LAYER 8 @casperse
        last edited by

        @casperse You don't need the wan-rule.

        1 Reply Last reply Reply Quote 0
        • C
          casperse
          last edited by

          Ok I have deleted all the rules and only kept the LAN rule
          (Gateway default is set to WAN)

          e5376371-16d8-424b-b4cf-73f871434ad5-image.png

          I still get connection through the OpenVPN tunnel from my test PC : 192.168.0.14
          Only if I disable the kill switch and stop the VPN service then I will get the WAN IP?

          There is something with that floating rule working as a kill switch that breaks this LAN firewall rule

          Bob.DigB 1 Reply Last reply Reply Quote 0
          • C
            casperse
            last edited by

            Update: Disabling the floating "Kill switch" rule didn't make any difference
            it still goes through the OpenVPN and not the WAN IP?

            1 Reply Last reply Reply Quote 0
            • Bob.DigB
              Bob.Dig LAYER 8 @casperse
              last edited by Bob.Dig

              @casperse You used the tags the wrong way, you have to tag on LAN and used tagged on WAN. Any maybe there is more not ok. 😉
              I wonder why your Killswitch worked in the first place.

              1 Reply Last reply Reply Quote 0
              • C
                casperse
                last edited by

                Okay you said no Tags :-)

                I have just created two rules now (Just like used for the VPN in the video in the first post)

                1. LAN Rule with TAG:
                  05ba57af-c732-4234-8b18-ee7ef3447905-image.png

                LAN rule in details:
                c8ebfce7-35de-4b7d-a3e3-2ecb292dae49-image.png

                And the Floating rule to allow this traffic setting the TAG:
                ABOVE THE KILL SWITCH
                dc9a9f9b-262b-4b52-8623-01cbe0790258-image.png

                Floating rule that reads the TAG:
                92c8173f-eea9-413d-ab85-dbd798d22a9c-image.png

                And this still doesn't work? (The Tags are correct now :-)

                Bob.DigB 1 Reply Last reply Reply Quote 0
                • Bob.DigB
                  Bob.Dig LAYER 8 @casperse
                  last edited by

                  @casperse So first, this WAN rule should be totally unnecessary because you already had the default gateway in the LAN rule.
                  But anyway, there seems another problem elsewhere.

                  Like I said, no tagging, no floating rules, no wan rules at all and make this working first.
                  Then to the killswitch.

                  C 1 Reply Last reply Reply Quote 0
                  • Bob.DigB
                    Bob.Dig LAYER 8
                    last edited by Bob.Dig

                    Also Reset the firewall state table under DiagnosticsStatesReset States every time you test something.

                    1 Reply Last reply Reply Quote 0
                    • C
                      casperse @Bob.Dig
                      last edited by

                      @Bob-Dig There is no WAN rule? (Only a LAN and a floating rule for the tag)

                      The killswitch is using another tag called "vpntraffic" that is why the kill switch works, this is also in each of the LAN rules for the OpenVPN rules (Everything setup like in the video and working)

                      I just cant get any traffic outside the VPN tunnel.... Tags or no tags

                      As I said it works if I disable the Openvpn short of doing that it always goes through the VPN?

                      1 Reply Last reply Reply Quote 0
                      • C
                        casperse
                        last edited by

                        @Bob-Dig Finally found the problem....

                        If I test the above rules using a Laptop and not a virtual VM on my server everything works!

                        My Unraid server IP is used and shared by the Docker and the same gateway (subnet) Unraid server IP: 192.168.0.6
                        I have virtual machines VM's on the Unraid server with their own fixed IP like: 192.168.0.18

                        If I route any traffic through the Pfsense for the server Unraid IP, dockers etc on the 192.168.0.10 it will overrule any traffic coming from my VM having IP: 192.168.0.18 and route everything over the rule set for the Unraid server IP 192.168.0.6
                        hosting the VM's

                        So is this only possible to route traffic from my VM's if they have a real physical NIC's that I can passthrough to my VM's?
                        Or is there some traffic setting in Pfsense that can split this traffic apart?

                        Bob.DigB 1 Reply Last reply Reply Quote 0
                        • Bob.DigB
                          Bob.Dig LAYER 8 @casperse
                          last edited by Bob.Dig

                          @casperse
                          Is it a public bridge in the vm or has is something to do with docker?
                          Anyway, I would start another thread here or in Routing.

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.