Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Exclude sites from VPN connection?

    Scheduled Pinned Locked Moved Off-Topic & Non-Support Discussion
    3 Posts 3 Posters 3.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      METDeath
      last edited by

      I'm using PIA VPN service and have the majority of my clients routed through the tunnel. A handful of clients are not for ease of use/speed, these include dedicated media players, video game consoles, location dependent clients.

      However, lately I'm noticing several sites that kick back error messages when attempting to use them via VPN. I know this due to testing with a WAN only client at the time of the error.

      How can I go about adding specific site exceptions that will properly work based on a URL or IP?

      Examples are:
      papajohns.com (sometimes works, sometimes nothing)
      spg.com (403 error)
      craigslist.org (claims banned IP)

      pfSense on AMD AM1 5350 with IBM/Intel PRO/1000 Quad port Gigabit NIC

      1 Reply Last reply Reply Quote 0
      • P
        phil.davis
        last edited by

        I assume that your default gateway is the VPN uplink, or you have a "catch-all" rule at (or near) the end of the LAN rules that passes most "default" traffic and specifies the PIA VPN gateway.

        1. Make an alias "special" for the things you want to direct away from the VPN - it can include URLs and IPs.

        2. Add a rule near the top of the LAN rules to pass traffic with destination "special" and specify gateway as the ordinary gateway on WAN.

        I think it is that easy - the rule will push the traffic out the ordinary WAN, the default NAT on the way out will give the traffic a source IP of the ordinary WAN address, so return traffic will come to the ordinary WAN address…

        As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
        If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

        1 Reply Last reply Reply Quote 0
        • Q
          q54e3w
          last edited by

          yup its that easy - worth also thinking about using pfblockerng to maintain the lists which allows use of AS numbers which can be helpful for larger sites etc.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.