VLAN cannot connect to internet when VPN is up



  • Total pfsense noob, so apologize if this is an easy one or if I don't give enough or the right info.

    Just upgraded from a DD-WRT install on a Netgear R7000 to a pfsense instance running on a Qotom J1900 with the 2 core broadwell CPU, a Ubiquiti Unifi AP AC LR, a TP-Link SG-108e (which may get replaced soon since I now understand far more about VLANs now…) and a Private Internet Access VPN account.

    To start I am attempting to merely replicate the setup I had with the DD-WRT setup, just with better performance and logging / IDS:

    • Private net (wired and wireless): 192.168.1.0 / 24 with 192.168.1.1 - 192.168.1.49 not routed through VPN (for streaming devices mainly) and .50 - .254 routed through VPN.
    • Guest net (wireless only): 192.168.20.0 / 24

    I have followed the firewall / NAT rule setup for the VLAN described here: https://nguvu.org/pfsense/pfsense-2.3-setup/
    I have followed the firewall / NAT rule setup for the VPN described here: https://forum.pfsense.org/index.php?topic=76015.0
    I have setup the selective routing through the VPN of the private network as described here: https://forum.pfsense.org/index.php?topic=105810.0

    I am 99% there, with what seems to be just one remaining issue: The VLAN (20) that I setup on pfsense and on the Unifi AP will not connect to the internet, ping the gateway or trace route anything on the it's subnet when the VPN is connected.  If I make no other changes besides stopping the vpn service, the guest network wifi immediately has full internet access.

    I am 100% sure there is something about my config that I left out that will be key to even getting me started in the right direction, so just let me know what that is and I will post that info in the thread.



  • Check the outbound NAT. Firewall > NAT > Outbound.
    If it is set to do automatic rule generation you should see the subnet 192.168.20.0/24 in the automatically generated rules at the bottom.
    If it is in hybrid or manual mode you have to add this rule by yourself.

    Post the Outbound NAT page, if you're unsure.


  • Rebel Alliance

    Sounds as though it could be similar to my recent issue.

    Have you checked your routing table?

    In my case, starting OpenVPN created a 2nd default route. Adding a static route could be temporary fix, while you prevent or eliminate the 2nd default route.

    NB just a newbie on pfsense - trust someone wiser will correct any deficiencies in this advice.
    Good luck.



  • Attached is how my NAT Outbound is setup.  Nothing jumps out at me as different from what you are suggesting, but remember I'm a total new ;-)

    (EDIT - added a snap of my Routing diagnostics too)

    ![Screen Shot 2017-01-13 at 9.34.38 AM.png](/public/imported_attachments/1/Screen Shot 2017-01-13 at 9.34.38 AM.png)
    ![Screen Shot 2017-01-13 at 9.34.38 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-01-13 at 9.34.38 AM.png_thumb)
    ![Screen Shot 2017-01-13 at 9.43.08 AM.png](/public/imported_attachments/1/Screen Shot 2017-01-13 at 9.43.08 AM.png)
    ![Screen Shot 2017-01-13 at 9.43.08 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-01-13 at 9.43.08 AM.png_thumb)
    ![Screen Shot 2017-01-13 at 9.34.38 AM.png](/public/imported_attachments/1/Screen Shot 2017-01-13 at 9.34.38 AM.png)
    ![Screen Shot 2017-01-13 at 9.34.38 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-01-13 at 9.34.38 AM.png_thumb)



  • Your default route directs to the VPN server. The VPN server will propably pushing the route to you.

    If you want your mainly outbound traffic to go out WAN you should check "Don't pull routes" in the client settings.
    To route the traffic of certain devices over the vpn, you have to set the gateway option in the responsible firewall rule which is allowing the traffic to the vpn gateway.



  • viragomann - that was it!  Checked that one box (routes no pull) and it works!  Thanks!

    Just to expand my knowledge a bit, by default do you mean "untagged" vlan traffic?  If I setup a second vlan for my "private" network and then subdivide that between a set of IP addresses that are route through the VPN and some that don't so that they can still see each other behind the firewall and have separate rules for each vlan would the "routes no pull" option matter then?



  • The "Don't pull routes" just effects that you don't get pushed routes from the VPN server. By default PIA servers pushes the default route to the clients so that the PIA VPN a the default gateway and any upstream traffic is routed over the VPN.
    If you've checkt the "Don't pull routes" option the WAN gateway is the default gateway again. That is applied to all internal networks.

    With the gateway option in firewall rules you can select to which gate the traffic is routed out. You may also define the PIAVPN GW just for certain services like HTTP and HTTPS which you have defined in an Alias first and use this alias for destination port in the rule.

    If you add an additional subnet where and direct some hosts out of it over the VPN you will also have to add an outbound NAT rule for this subnet or fit the source network in the existing one.


Log in to reply