Route all traffic thru VPN, except for modem gui access



  • Long time lurker, first(ish) time poster.

    I have exhausted my (albeit slight)knowledge on the subject, and my searches haven’t turned up any answers for me either.  I am hopeful that one of the super users on here can help me out.

    First, let me say that I run ALL traffic into/out of my network thru a VPN (Private Internet Access to be exact), and if the VPN is down, so is connectivity.  This was setup per the instructions on the PIA site (https://www.privateinternetaccess.com/pages/client-support/pfsense).  This has to be maintained, so if what I am asking below is not possible with this then please inform me so.

    I am trying to be able to access my modem (Motorola sb6120) on ip 192.168.100.1, which is the default IP.  I am able to ping it from the PFSense box, but for the life of me I cannot get it setup correctly so that I can access it from any machine inside my network.  I attempted to follow the guide (Accessing modem from inside firewall), but regardless of how many times I try I cannot get it to work for me.  I try and create a new OPT2 interface, using the same port (em1 in my case) as the WAN, but it throws an error about it being used twice.  I am sure that I am missing something obvious, but don’t know enough to make it work.

    Thoughts?  I can provide screenshots, or whatever is needed.

    Thanks!



  • The guide you mentioned is for accessing modems connected via PPPoE. Here you can use the interface port for PPPoE and additonal for IP. But in your case, you have it already in use for IP.

    Your problem is that you get pushed the default route from your VPN provider to use the VPN as default gateway. So pfSense routes any traffic over the VPN.
    To solve, add a firewall pass rule to your LAN interface,  for destination enter your modems IP, display the advanced options go down to gateway and select the WAN gateway, which should be your modem, I think.
    If the WAN GW isn't your modems internal IP, add it as gateway at first in System > Routing and use this gateway in the firewall rule.
    Put this rule to the top of the rule set.



  • @viragomann:

    The guide you mentioned is for accessing modems connected via PPPoE. Here you can use the interface port for PPPoE and additonal for IP. But in your case, you have it already in use for IP.

    Your problem is that you get pushed the default route from your VPN provider to use the VPN as default gateway. So pfSense routes any traffic over the VPN.
    To solve, add a firewall pass rule to your LAN interface,  for destination enter your modems IP, display the advanced options go down to gateway and select the WAN gateway, which should be your modem, I think.
    If the WAN GW isn't your modems internal IP, add it as gateway at first in System > Routing and use this gateway in the firewall rule.
    Put this rule to the top of the rule set.

    viragomann: Sorry to potentially hijack, but what you're describing here is exactly what I've been doing in a different scenario, and which is no longer working for some reason. Can you have a look here at this thread and see if you have any ideas?

    https://forum.pfsense.org/index.php?topic=113627.0

    Thank you.



  • Fixed my issue noted above by deleting Squid. Everything working fine once again.



  • @viragomann:

    If the WAN GW isn't your modems internal IP, add it as gateway at first in System > Routing and use this gateway in the firewall rule.

    My WAN IP is set as my ISP provided IP.  When I go and try to add the route, I get the following error:
    The following input errors were detected:
    The gateway address 192.168.100.1 does not lie within one of the chosen interface's subnets.

    Thanks.



  • So your modem isn't your WAN gateway?

    To get this, pleas post a diagram of your network from WAN to pfSense.

    What is your WAN subnet?



  • The physical connections I have are as follows:
    Modem (surfboard 6120) - 1 Intel NIC (WAN) - 1 Intel NIC (LAN) - Managed gigabit switch - everything else

    The WAN interface is my external IP assigned from my ISP.  In the routing table, I have the following:
    WAN_DHCP (default) WAN 1X7.1X7.XXX.1 1X7.1X7.XXX.1 Interface WAN_DHCP Gateway

    Thanks.



  • Did you try to use Virtual IP?
    Add VIP with /24 net to WAN interface.
    Add topmost rule to LAN interface :
    Proto ANY
    From LAN net
    To 192.168.100.0/24
    Check.



  • I did try and do that, but either flubbed up the firewall rules, or am completely useless.



  • Hmm.
    And what states say?