Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN: block some IPs From the VPN interface Outbound traffic

    Scheduled Pinned Locked Moved OpenVPN
    14 Posts 4 Posters 3.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • X
      XmickS
      last edited by

      Hello,

      I want so stream my media movies outside my network to some friends. But for some reason my upload speed is reduced a lot when using vpn client (like 1mbts). For that reason I want to send some devices/IPs/traffic NOT through the tunnel.

      I have Emby server running on my freenasbox from which I will be streaming. IP of the server is 10.0.8.22, LAN network 10.0.8.0/24

      My thought is to make a NAT rule to: Source != EmbyAlias to go through the OpenVPN interface. But I can only select: any, network or this firewall. For the normal setup I would duplicate all of the nat rules and change the interface to OpenVPN client interface.

      Hope somebody can help me.

      1 Reply Last reply Reply Quote 0
      • V
        viragomann
        last edited by

        NAT rules can not direct traffic to a specific gateway, they are just for tranlating source or destination addresses and ports.

        You've to use firewall rules for this.

        1 Reply Last reply Reply Quote 0
        • X
          XmickS
          last edited by

          @viragomann:

          NAT rules can not direct traffic to a specific gateway, they are just for tranlating source or destination addresses and ports.

          You've to use firewall rules for this.

          So if I block specific traffic to the vpn interface. It will try another interface, the WAN interface?

          Else,  how should I setup the rules so that I get the result I want?

          1 Reply Last reply Reply Quote 0
          • X
            XmickS
            last edited by

            I have the server to a dedicated ethernet lan port of my pfsense box.

            1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate
              last edited by

              Your LAN rules have a default rule that is routing traffic to the VPN gateway.

              Above that rule place a one that for source EmbyAlias dest any but set the gateway to default.

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • X
                XmickS
                last edited by

                @Derelict:

                Your LAN rules have a default rule that is routing traffic to the VPN gateway.

                Above that rule place a one that for source EmbyAlias dest any but set the gateway to default.

                Maybe a nooby question but where is this rule listed? Is it in the Firewall rules under LAN?

                1 Reply Last reply Reply Quote 0
                • D
                  ddarlington36
                  last edited by

                  Sounds like you want one specific IP to  be routed via your gateway and not through the vpn-gateway

                  Add route-nopull to the Advanced Configuration settings of the VPN
                  Create a firewall rule for the specific computer on the LAN with an Advanced setting that specifically chooses the VPN Gateway.
                  Move this new rule to the top of the list.

                  1 Reply Last reply Reply Quote 0
                  • X
                    XmickS
                    last edited by

                    @ddarlington36:

                    Sounds like you want one specific IP to  be routed via your gateway and not through the vpn-gateway

                    Add route-nopull to the Advanced Configuration settings of the VPN
                    Create a firewall rule for the specific computer on the LAN with an Advanced setting that specifically chooses the VPN Gateway.
                    Move this new rule to the top of the list.

                    I've added 'route-nopull' to the adittional config of the client and added a Block rule for the alias with the vpn gateway. But with the 'route-nopull' added to the config, my other traffic isnt send through the vpn gateway anymore.

                    1 Reply Last reply Reply Quote 0
                    • DerelictD
                      Derelict LAYER 8 Netgate
                      last edited by

                      Block rules block traffic. You want to pass it with the gateway set to default above the rule that passes traffic and sents the VPN gateway. The rules will need to be on the interface from which the connections are originated, like LAN.

                      Chattanooga, Tennessee, USA
                      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                      1 Reply Last reply Reply Quote 0
                      • X
                        XmickS
                        last edited by

                        @Derelict:

                        Block rules block traffic. You want to pass it with the gateway set to default above the rule that passes traffic and sents the VPN gateway. The rules will need to be on the interface from which the connections are originated, like LAN.

                        I don't see a (auto added) rule that's directing traffic to the vpn gateway. See the added image.

                        To set up my vpn client, I followed this guide: https://nld.privateinternetaccess.com/pages/client-support/pfsense  It's basically: set certificates, set vpn config and set NAT rules. the guide doesnt mention setting traffic/gateway rules. Do I need to add another rule to pass traffic to the vpn gateway?

                        Did i add the rules correctly. see image.

                        Thanks btw for helping me out!

                        ![Firewall rules LAN.PNG](/public/imported_attachments/1/Firewall rules LAN.PNG)
                        ![Firewall rules LAN.PNG_thumb](/public/imported_attachments/1/Firewall rules LAN.PNG_thumb)

                        1 Reply Last reply Reply Quote 0
                        • DerelictD
                          Derelict LAYER 8 Netgate
                          last edited by

                          Working up from the bottom:

                          You don't need the DHCP rules. DHCP is automatically passed on interfaces with a DHCP server enabled.

                          You should probably just add the VPN gateway to the default pass rule and delete the rule you added.

                          The WAN_DHCP rule would probably be better just using default as the gateway but should work if you have it like it is. I assume the alias you're using as the source address is the LAN IP address of the server you do not want using the VPN.

                          None of this will have any effect if you are still accepting a default route from your VPN provider. Don't add he nopull_routes option. That walkthrough is out of dates. Check the don't pull routes checkbox in the client OpenVPN config instead.

                          Then clear states, bounce the VPN client, and test again.

                          Chattanooga, Tennessee, USA
                          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                          Do Not Chat For Help! NO_WAN_EGRESS(TM)

                          1 Reply Last reply Reply Quote 0
                          • X
                            XmickS
                            last edited by

                            I did as you said, but when I check the two checkboxes in the vpnclient config page (which I have highlighted in the image), NONE of my traffic is routed to the vpn gateway. These are the checkboxes you mentioned, right? Should I check both checkboxes?

                            when no traffic is routed to the vpn gateway, that means that the lan rules arent correct, right?

                            See my other image to see if I have set the lan rules the right way. The MICKHP alias is my laptop. I'm using this alias just for testing, this should be the server alias when everything is working.

                            Now that netflix is blocking vpn services I think only more pfusers want to do the same thing I try here.

                            ![openvpn settings.PNG](/public/imported_attachments/1/openvpn settings.PNG)
                            ![openvpn settings.PNG_thumb](/public/imported_attachments/1/openvpn settings.PNG_thumb)
                            ![Firewall rules LAN 2.PNG](/public/imported_attachments/1/Firewall rules LAN 2.PNG)
                            ![Firewall rules LAN 2.PNG_thumb](/public/imported_attachments/1/Firewall rules LAN 2.PNG_thumb)

                            1 Reply Last reply Reply Quote 0
                            • X
                              XmickS
                              last edited by

                              Breakthrough!!!

                              I disabled the default "ipv4/6 any to any" rule and now everything is routed correctly!! dont know why they were effective, but everything is working now.

                              Thank you very much for your help!

                              1 Reply Last reply Reply Quote 0
                              • D
                                ddarlington36
                                last edited by

                                That's a good thing to do when using a VPN I have seen DNS leaks when using ipv6- think its UDP related but not sure

                                1 Reply Last reply Reply Quote 0
                                • First post
                                  Last post
                                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.