OpenVPN: block some IPs From the VPN interface Outbound traffic



  • Hello,

    I want so stream my media movies outside my network to some friends. But for some reason my upload speed is reduced a lot when using vpn client (like 1mbts). For that reason I want to send some devices/IPs/traffic NOT through the tunnel.

    I have Emby server running on my freenasbox from which I will be streaming. IP of the server is 10.0.8.22, LAN network 10.0.8.0/24

    My thought is to make a NAT rule to: Source != EmbyAlias to go through the OpenVPN interface. But I can only select: any, network or this firewall. For the normal setup I would duplicate all of the nat rules and change the interface to OpenVPN client interface.

    Hope somebody can help me.



  • NAT rules can not direct traffic to a specific gateway, they are just for tranlating source or destination addresses and ports.

    You've to use firewall rules for this.



  • @viragomann:

    NAT rules can not direct traffic to a specific gateway, they are just for tranlating source or destination addresses and ports.

    You've to use firewall rules for this.

    So if I block specific traffic to the vpn interface. It will try another interface, the WAN interface?

    Else,  how should I setup the rules so that I get the result I want?



  • I have the server to a dedicated ethernet lan port of my pfsense box.


  • Netgate

    Your LAN rules have a default rule that is routing traffic to the VPN gateway.

    Above that rule place a one that for source EmbyAlias dest any but set the gateway to default.



  • @Derelict:

    Your LAN rules have a default rule that is routing traffic to the VPN gateway.

    Above that rule place a one that for source EmbyAlias dest any but set the gateway to default.

    Maybe a nooby question but where is this rule listed? Is it in the Firewall rules under LAN?



  • Sounds like you want one specific IP to  be routed via your gateway and not through the vpn-gateway

    Add route-nopull to the Advanced Configuration settings of the VPN
    Create a firewall rule for the specific computer on the LAN with an Advanced setting that specifically chooses the VPN Gateway.
    Move this new rule to the top of the list.



  • @ddarlington36:

    Sounds like you want one specific IP to  be routed via your gateway and not through the vpn-gateway

    Add route-nopull to the Advanced Configuration settings of the VPN
    Create a firewall rule for the specific computer on the LAN with an Advanced setting that specifically chooses the VPN Gateway.
    Move this new rule to the top of the list.

    I've added 'route-nopull' to the adittional config of the client and added a Block rule for the alias with the vpn gateway. But with the 'route-nopull' added to the config, my other traffic isnt send through the vpn gateway anymore.


  • Netgate

    Block rules block traffic. You want to pass it with the gateway set to default above the rule that passes traffic and sents the VPN gateway. The rules will need to be on the interface from which the connections are originated, like LAN.



  • @Derelict:

    Block rules block traffic. You want to pass it with the gateway set to default above the rule that passes traffic and sents the VPN gateway. The rules will need to be on the interface from which the connections are originated, like LAN.

    I don't see a (auto added) rule that's directing traffic to the vpn gateway. See the added image.

    To set up my vpn client, I followed this guide: https://nld.privateinternetaccess.com/pages/client-support/pfsense  It's basically: set certificates, set vpn config and set NAT rules. the guide doesnt mention setting traffic/gateway rules. Do I need to add another rule to pass traffic to the vpn gateway?

    Did i add the rules correctly. see image.

    Thanks btw for helping me out!

    ![Firewall rules LAN.PNG](/public/imported_attachments/1/Firewall rules LAN.PNG)
    ![Firewall rules LAN.PNG_thumb](/public/imported_attachments/1/Firewall rules LAN.PNG_thumb)


  • Netgate

    Working up from the bottom:

    You don't need the DHCP rules. DHCP is automatically passed on interfaces with a DHCP server enabled.

    You should probably just add the VPN gateway to the default pass rule and delete the rule you added.

    The WAN_DHCP rule would probably be better just using default as the gateway but should work if you have it like it is. I assume the alias you're using as the source address is the LAN IP address of the server you do not want using the VPN.

    None of this will have any effect if you are still accepting a default route from your VPN provider. Don't add he nopull_routes option. That walkthrough is out of dates. Check the don't pull routes checkbox in the client OpenVPN config instead.

    Then clear states, bounce the VPN client, and test again.



  • I did as you said, but when I check the two checkboxes in the vpnclient config page (which I have highlighted in the image), NONE of my traffic is routed to the vpn gateway. These are the checkboxes you mentioned, right? Should I check both checkboxes?

    when no traffic is routed to the vpn gateway, that means that the lan rules arent correct, right?

    See my other image to see if I have set the lan rules the right way. The MICKHP alias is my laptop. I'm using this alias just for testing, this should be the server alias when everything is working.

    Now that netflix is blocking vpn services I think only more pfusers want to do the same thing I try here.

    ![openvpn settings.PNG](/public/imported_attachments/1/openvpn settings.PNG)
    ![openvpn settings.PNG_thumb](/public/imported_attachments/1/openvpn settings.PNG_thumb)
    ![Firewall rules LAN 2.PNG](/public/imported_attachments/1/Firewall rules LAN 2.PNG)
    ![Firewall rules LAN 2.PNG_thumb](/public/imported_attachments/1/Firewall rules LAN 2.PNG_thumb)



  • Breakthrough!!!

    I disabled the default "ipv4/6 any to any" rule and now everything is routed correctly!! dont know why they were effective, but everything is working now.

    Thank you very much for your help!



  • That's a good thing to do when using a VPN I have seen DNS leaks when using ipv6- think its UDP related but not sure