Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Selective routing and selective internet routing

    Scheduled Pinned Locked Moved OpenVPN
    6 Posts 2 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      ptclabs
      last edited by

      I have a site to site vpn set up that accesses the remote subnet just fine. this is accomplished by using route commands in client overrides as different ones go to different subnets. My problem is I want to add one internet route to go through the tunnel also.

      So it would be from client vpn tunnel, to server tunnel, to intranet and back again.

      The iroute to the client side works fine so I can ping both ways. The intranet address with the route command gets routed through the tunnel but does not make it back. It has dns resolution to the ip. Just tracert never makes it past the server vpn address. Any ideas?

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        Might be the need to have Outbound NAT in place for the OpenVPN client source address out WAN. When you use "Remote Networks" in the server config, Automatic Outbound NAT has something to look for. When you use route commands and push route commands in the advanced and client-specific settings it has no idea what's where.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • P
          ptclabs
          last edited by

          Thank you for your suggestion.
          openvpn net 77.0
          local 35.0
          openvpn client acutal network 1.0

          there is an auto added rule in outbound nat for the the 77.0 network going to the internet address. Are you saying we should try to add one for the 1.0 network also?

          From the pfsense you can ping internet stuff using the openvpn network in diagnostic tools.

          The only other thing I can think of is I did not add an interface for the openvpn connection. Everything local works fine, just no internet resolution.

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            If the traffic is leaving WAN sourced from 1.0 you need an outbound NAT rule for it.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • P
              ptclabs
              last edited by

              EDIT
              After setting it to wan interface instead of openvpn after thinking about it for a while it works.

              thank you very much for your help

              Thank you again for your suggestion.
              I added a outbound nat rule of
              coming from vpn interface THIS WAS WRONG
              with a source of 1.0/24
              any any any
              destination vip
              any

              still nothing

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                Yeah. Outbound NAT on WAN. Good deal.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.