Routing Through WAN/VPN Interface Depending on IP Range



  • Hello,

    Thanks to a number of guides here, I was able to get my basic setup completed (10.0.0.0/8 LAN subnet), my VPN is connected, and I have the VPN connection assigned to a virtual interface.

    What routing/firewall/etc rules would I need to accomplish the following:

    • Clients with IPs in 10.1.0.0/16 are sent through the WAN interface.
    • Clients with IPs in 10.2.0.0/16 are sent through the VPN interface.

    I've tried the routing/firewall rules sections of several guides, but none of them work quite correctly.  Some configurations end up routing all traffic through the VPN regardless of IP, some don't route any traffic through the VPN regardless of IP, and some just don't work at all.

    Thanks in advance. :)



  • 10.0.0.0/8 LAN subnet. Wow!

    This can be set in a firewall rule and it's called policy routing.

    I assume the WAN gateway is still your default gateway, so for this route there is no need to do something additional.
    Depending on your VPN setup you have already a VPN gateway, otherwise go to System > Routing and add a VPN gateway. The IP is that one of the other VPN node.
    Then add a firewall rule on LAN interface where you allow the upstream traffic, enter the 10.2.0.0/16 subnet at source, go down and expand the advanced options, go to gateway and select the VPN gateway.
    If you want to ensure, that these hosts can't get out to WAN if the VPN is down, change your default any to any rule to the other source subnet and to WAN gateway.



  • To answer your question at a high level, once the VPN is assigned to an interface, it should create a gateway which can be used for policy routing.  Also, remember that firewall rules are parsed top-down, so the order of your rules matter.  We would have to see your rules to troubleshoot any further.

    Having answered your question, the first thing you need to address is your LAN subnet.  10.0.0.0/8 is entirely too wide, will cause other routing issues down the road and is possibly contributing to your current issue.  I highly doubt… check that... I know for a fact that you do not have 16+ million hosts on your network.  Even if you did, you wouldn't put them all on the same broadcast domain anyway.



  • I've attached some pictures of my configuration.  I'm not clear on, well, basically everything:

    • Under Status -> OpenVPN: When the VPN is connected, it has a "Virtual Address". Where does this address come from? What uses it? Can it/does it need to be configured somehow?
    • Under Interfaces -> VPN_INTERFACE: The guides I've been reading say to put "None" as the IPV4 type of the VPN Interface.  Is that correct?  I don't actually have a third ethernet port on the machine, so I'm assuming this gets configured as some kind of virtual interface?  It's unclear to me what this is actually doing.
    • Under System -> Routing -> Gateways -> VPN_INTERFACE_VPNV4: The gateway is set to "dynamic" by default and can't be changed.  You seemed to indicate that this needed an IP of some sort, is that correct?
    • Under System -> Routing -> Gateways: The VPN gateway has a gateway and monitor IP listed, but it doesn't match the OpenVPN virtual address.  Should it match? Where does this come from?

    Currently, everything still seems to be going through the WAN, rather than the VPN, regardless of IP.  Also, after a few minutes, all traffic through the router ceases entirely, regardless of IP.  The router can still ping out, but clients cannot. Killing the VPN interface and bringing it back up fixes this, even though nothing is apparently going through it anyway . . .

    (On a related note, it boggles my mind somewhat that I can write and understand IPTABLES rules, but somehow nothing about this GUI or how the system functions makes the least bit of sense to me. :P)












  • @SaroDarksbane:

    • Under Status -> OpenVPN: When the VPN is connected, it has a "Virtual Address". Where does this address come from? What uses it? Can it/does it need to be configured somehow?

    The virtual VPN address is pushed to you from the VPN server. There is no need to configure something around it.
    This is the IP of your virtual VPN interface. Any traffic from VPN site destined to you is directed to this address.

    @SaroDarksbane:

    • Under Interfaces -> VPN_INTERFACE: The guides I've been reading say to put "None" as the IPV4 type of the VPN Interface.  Is that correct?  I don't actually have a third ethernet port on the machine, so I'm assuming this gets configured as some kind of virtual interface?  It's unclear to me what this is actually doing.

    As mentioned above the virtual VPN interface is configured by the server. The interface just has to be activated, so it's configured correctly.

    @SaroDarksbane:

    • Under System -> Routing -> Gateways -> VPN_INTERFACE_VPNV4: The gateway is set to "dynamic" by default and can't be changed.  You seemed to indicate that this needed an IP of some sort, is that correct?

    That's okay also.

    @SaroDarksbane:

    • Under System -> Routing -> Gateways: The VPN gateway has a gateway and monitor IP listed, but it doesn't match the OpenVPN virtual address.  Should it match? Where does this come from?

    The monitoring IP is just to show if the gateway is up or down. You can monitor the VPN server IP if it is static.

    @SaroDarksbane:

    Also, after a few minutes, all traffic through the router ceases entirely, regardless of IP.  The router can still ping out, but clients cannot. Killing the VPN interface and bringing it back up fixes this, even though nothing is apparently going through it anyway . . .

    No idea why this should happen.

    But one other point, you also need an outbound NAT rule for the VPN interface. By default pfSense add this automatically, but if you've changed the VPN settings after that, maybe the rules are not updated.
    So post the outbond NAT rules, please.



  • So, good news and bad news:

    • After adding an outbound NAT rule for the VPN interface, the VPN connection works when I choose a 10.2.0.0/16 address!
    • But . . . I can no longer get through the WAN interface using a 10.1.0.0/16 address.

    I've attached my outbound NAT rules.

    Also, I noticed when creating the outbound NAT rule that the interface dropdown listed the one I specifically configured ("VPN_INTERFACE") as well as a generic "OpenVPN".  Is that normal?






  • Actually, I think I may have fixed it.  Although I was specifically forwarding 10.2.0.0/16 traffic through the VPN interface, the next firewall rule in line was not as specific.  Changing the default rule to send 10.1.0.0/16 traffic specifically through the WAN interface seems to have solved the issue.

    (Since the VPN provider is also giving my virtual interface an address in the 10.0.0.0/8 range, perhaps the default routing table was getting confused as to the appropriate gateway for 10.1.0.0/16 traffic? Marvosa's objection to my subnet choice may have been prescient, though perhaps not in the way he expected. :P)




  • @SaroDarksbane:

    Changing the default rule to send 10.1.0.0/16 traffic specifically through the WAN interface seems to have solved the issue.

    So obviously the VPN Provider pushes the default route to you.
    As mentioned above, the suggestion presumed that the WAN gateway is still the default gateway.

    @SaroDarksbane:

    (Since the VPN provider is also giving my virtual interface an address in the 10.0.0.0/8 range, perhaps the default routing table was getting confused as to the appropriate gateway for 10.1.0.0/16 traffic? Marvosa's objection to my subnet choice may have been prescient, though perhaps not in the way he expected. :P)

    You didn't mention your VPN subnet and I couldn't get it out of my crystal ball.

    You may set your LAN network to a /14 if you only need 10.1.0.0/16 - 10.2.0.0/16



  • @viragomann:

    You didn't mention your VPN subnet and I couldn't get it out of my crystal ball.

    Yeah, I realize now I never spelled it out in my post; it was only present in one of the screenshots.

    Thanks for all the help!



  • You're right, the gateway. I didn't notice.