How to let ONLY ONE interface use VPN?
-
My pfsense router has been using only one interface that routes all traffic through a VPN.
As more and more sites block VPN IP's, I need to be able to easily and routinely bypass my VPN.
I got another WiFi AP and turned on my other Interface. Everything is setup but this interface is still using the VPN. I used https://forum.pfsense.org/index.php?topic=76015.0 to configure my router for PIA VPN.
My first guess is that my outbound NAT rules are still forcing traffic through the VPN? So I changed the manual rules to switch the interface from the VPN to the WAN ( I use the hybrid manual+automatic outbound NAT option). This simply killed the internet, I also tried simply disabling those manual rules hoping that the automatic NAT rules would just work, but still no internet.
So how can I keep my main interface routing all traffic through my VPN while adding an additional interface that does not use the VPN at all?
-
Outbound NAT does not route traffic. Policy routing and the routing table (default gateway, static routes).
All outbound NAT does is determine what happens to the source address/port when certain traffic is sent out an interface by policy routing/routing table.
-
How can I change that to get my other interface to not use the VPN at all?
-
Don't set up gateway groups and policy route one interface to the VPN.
-
Could you tell me specifically how to do that? I don't know what I'm doing.
Under System>Routing>Gateway Groups, I don't have anything configured.
I don't know what you mean by policy route one interface to the VPN? What does this mean and how do I do it?
-
Try using those as search terms first. Really not in the mood to explain it again.
-
I have and from what I gather under my firewall rules I open the advanced options and select a specific gateway. I've selected WAN as the gateway for the firewall rules that I want to bypass the VPN, but it doesn't work, as soon as I do this the internet no longer works on that interface. When I change the Gateway back to default then it works again.
I've also read to select "Don't Pull Routes" in my OpenVPN client configuration, but this also kills my internet.
Is this what you were suggesting? If not I'm at a loss. If so… I'm still at a loss as it doesn't seem to work, any other suggestions or am I simply doing it wrong?
-
Post what you have done. Far easier than trying to guess.
-
Also, under Outbound NAT rules, if I disable my manual rules "PIAVPN - 192.168.16.0/24 - * - * - (* & 500) - PIAVPN address - *" or change the interface to WAN (Auto rules already include it under WAN interface) then it kills the internet on that interface. If I re-enable those rules then the interface works (provided I'm still routing traffic through the VPN).
I don't know if this is helpful but those outbound NAT rules are definitely affecting my connection and are only working when configured for the VPN interface.
-
If you disable outbound NAT on an interface you disable outbound NAT on an interface. If you need outbound NAT on that interface that breaks it. Why is this surprising?
-
Post what you have done. Far easier than trying to guess.
As my configuration is now, I have an OpenVPN client configured per the link in the original post.
I have hybrid outbound NAT rules (manual rules configured for VPN interface).
My firewall rules on the interface do not currently specify a gateway as it was not working when I specified WAN gateway.
I have no gateway groups configured and do not have "don't pull routes" selected.
In this configuration all interfaces work but all interfaces also route all traffic through the VPN.
-
Screen shots. Real data. Not interested in what you think you have done. Interested in what you have done.
Get your stuff into a mode where you THINK it should be working and post it.
Oh, and this: https://forum.pfsense.org/index.php?topic=120295.0
-
If you disable outbound NAT on an interface you disable outbound NAT on an interface. If you need outbound NAT on that interface that breaks it. Why is this surprising?
Well this is all new to me but it surprised me because the automatic outbound NAT rules still included the subnet on the WAN interface, all I was doing was disabling the outbound NAT rule for the VPN interface (since I don't want that subnet to use the VPN). So I thought that by doing that it would simply use the WAN and skip the VPN.
I posted a picture as to what I'm talking about. I blacked out everything but the rules for the subnet I'm trying to bypass the VPN with. The top rules under mappings are the ones I was disabling. I thought that since the subnet was included under the bottom automatic rules that it would still NAT over the WAN interface?
-
It DOES NOT MATTER what subnets are included in outbound NAT rules. They only have an effect when traffic IS ROUTED OUT THAT INTERFACE by policy routing or the routing table. They DO NOT have ANY bearing on what traffic goes where. Only what NAT is performed when traffic flows that way.
-
Screen shots. Real data. Not interested in what you think you have done. Interested in what you have done.
Get your stuff into a mode where you THINK it should be working and post it.
Oh, and this: https://forum.pfsense.org/index.php?topic=120295.0
Here are some more screens of what I have. The Outbound NAT rules in the top mappings section of the other screenshot I posted are currently disabled.
This is what I thought would work, but no internet routes on the interface that I want to bypass the VPN in this configuration. I get a "this site took too long to respond error".
-
It DOES NOT MATTER what subnets are included in outbound NAT rules. They only have an effect when traffic IS ROUTED OUT THAT INTERFACE by policy routing or the routing table. They DO NOT have ANY bearing on what traffic goes where. Only what NAT is performed when traffic flows that way.
So woul this mean that I can disable those manual outbound NAT rules safely (as they aren't ever going to do anything that I want). And then policy route all traffic on the interface I wan to bypass the VPN to my WAN interface (and the automatic outbound NAT rules would handle the NAT through WAN)?
If I understood that correctly then it sounds like my issue is that I'm not correctly doing policy routing? I've tried adding my WAN interface as the gateway on all of my rules on my "GUEST" interface (the one I want to bypass VPN), but then the internet simply doesn't work.
-
Your pass rule passing traffic to NETWAN is TCP-only. That is almost certainly not what you want. Try protocol any there.
I see nothing that policy routes traffic out PIAVPN_GW. What traffic do you expect to be routed that way?
Traffic to your Outgoing Ports will go out the default gateway, not the VPN.
-
Your pass rule passing traffic to NETWAN is TCP-only. That is almost certainly not what you want. Try protocol any there.
I see nothing that policy routes traffic out PIAVPN_GW. What traffic do you expect to be routed that way?
Traffic to your Outgoing Ports will go out the default gateway, not the VPN.
I rearranged it like this applied and reset state tables but am still getting the same error?
-
I see nothing that policy routes traffic out PIAVPN_GW. What traffic do you expect to be routed that way?
I don't want anything on this interface to go through the PIAVPN gateway, I want everything on this interface to completely bypass the VPN.
Currently everything goes through PIAVPN Gateway (or doesn't work at all). I haven't needed to use any policy routing for it to work that way, everything just goes through the VPN.
-
Be more specific. What error? Exactly what are you trying to connect to from where?
It matters what DNS servers your clients are being told to use.
Enable DON'T PULL ROUTES in the OpenVPN Client Config.
It is usually better to route the traffic you want to go over the VPN over the VPN, not route the traffic you don't the other way.
