How to use OPT1 port to segment VPN traffic outside of LAN traffic?
-
I am using a pfsense SG-4860-1U firewall. The WAN port is connected to a commercial ISP. I have several clients (about 10) that will be connecting through the firewall, however, some require connecting through a third party VPN provider and the remaining will simply use the commercial ISP for external facing IPs.
I have set up the VPN service to work as intended using an OpenVPN client profile on the pfsense, created a CA and public keys for the VPN provider, etc. The rules allow internal traffic out through the VPN, and blocks all traffic when the VPN is off/ not active.
This set up works fine when it is on the LAN interface. However, I want to connect a switch to the OPT1 interface and have all of those devices connected to the switch route through the VPN only (and disallow all traffic when VPN is off or service is not active).
I can get the LAN traffic to connect through the WAN/ ISP (using the 192.168.1.0/24 subnet). The LAN acts as a DHCP server to distribute IPs to clients connected to the switch that is connected to the LAN port.
But I can not get the OPT1 to get any connection to the WAN or VPN. Should I be using DHCP for OPT1? Are there additional NAT settings that need to be configured for my requirements to be met? The OPT1 interface has been activated in the Web GUI.
To be clear, the OPT1 should not allow ANY traffic in/ out if the VPN provider is down (this traffic should never have internet access or an IP address that is provided by the commercial ISP).
Thank you for your help here, I am learning all of this one step at a time and it can be a bit overwhelming.
-
@vpnguy
Its better to have dhcp everywhere, makes things easier.
For the new lan, if you disable outbound nat for the specific subnet, it won't reach the internet.Now, for the new subnet, if we are talking about routing, this new subnet must also be known to the vpn server. You need to clarify this with your provider.
If this is not the case, you will also need to nat all new subnet ip's to the vpn interface ip.
(do assign an openvpn interface for this client connection if you havent done so)
And you need policy rules for these ip's to reach the vpn gateway. -
Thanks for your help Netblues, helped to understand better what I need to do