(Solved) Can't route Subnet A out WAN and Subnet B out OpenVPN client.
I have two subnets. I want one to route out the WAN and the other to go out the OpenVPN client which is connected to iVPN.
LAN1 and LAN2 are allowed to talk to each other:
LAN1 10.0.1.1 –> WAN gateway
LAN2 10.0.2.1 --> OpenVPN Client gateway
When the OpenVPN client is connected LAN1 can't route outside but LAN2 can.
When the OpenVPN client is down LAN2 can't route outside but LAN1 can. <-- expected behavior when it's down
NAT is set to manual with each subnet being "NATTED" out it's respective interface. Firewall rules are set so each subnet can route to any destination. The problem appears to be with the routing.
When OpenVPN is NOT connected:
Destination Gateway Flags Netif Expire default 100.100.64.1 UGS re0
When OpenVPN is connected:
Destination Gateway Flags Netif Expire 0.0.0.0/1 10.80.40.1 UGS ovpnc1 default 100.100.64.1 UGS re0
It seems as soon as OpenVPN is connected PFSense tries to route ALL traffic out that interface but the NAT rules prevent the LAN1 subnet from being NATTED so it fails. Really, all I want to do is give each subnet its own gateway.
Any ideas? I've played with changing static routes a bit but it doesn't seem to help. Static routes are concerned with the destination only and don't have a way to specify on which source subnet to apply the route on the web UI.
I've gone through the iVPN guide here but it assumes you want to tunnel ALL your traffic through the VPN. Not what I want. https://www.ivpn.net/setup/router-pfsense.html
Here's another similar guide but this one assumes you want to route all traffic through OpenVPN and then fail back to the WAN if the VPN goes down. Not what I want either.
Thanks! I'm hoping this is something simple.
Pretty sure your default route is being modified because you're allowing the openvpn server to push route mods to you. You'll want to disable that (i.e. don't allow the server to push default route changes). I check the "Don't pull routes" option on the ovpn client config screen for this.
Once you fix that then you should just be able to setup policy based routing for LAN2 to go thru the ovpn gateway. I do this exact kind of thing with multiple vpn gateways using policy based routing.
And you are then policy routing traffic from LAN2 out the OpenVPN gateway so you need to be sure to bypass that for LAN2 > LAN1 by passing that traffic above the policy routing rule with no gateway set (use the routing table).
Thanks for the responses!
Turns out my problem was that I could only choose "default" as the gateway for my two internal subnets despite having two WAN connections (WAN + VPN).
I had the protocol for each firewall rule set to IPv4 + IPv6 but only the WAN connection has IPv6. Once I changed VPN to IPv4 only it seems to be working. I can select the right gateway for each subnet and create firewall rules to allow the two internal subnets to talk to each other.