Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Routing Through WAN/VPN Interface Depending on IP Range

    Scheduled Pinned Locked Moved OpenVPN
    10 Posts 3 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      SaroDarksbane
      last edited by

      Hello,

      Thanks to a number of guides here, I was able to get my basic setup completed (10.0.0.0/8 LAN subnet), my VPN is connected, and I have the VPN connection assigned to a virtual interface.

      What routing/firewall/etc rules would I need to accomplish the following:

      • Clients with IPs in 10.1.0.0/16 are sent through the WAN interface.
      • Clients with IPs in 10.2.0.0/16 are sent through the VPN interface.

      I've tried the routing/firewall rules sections of several guides, but none of them work quite correctly.  Some configurations end up routing all traffic through the VPN regardless of IP, some don't route any traffic through the VPN regardless of IP, and some just don't work at all.

      Thanks in advance. :)

      1 Reply Last reply Reply Quote 0
      • V
        viragomann
        last edited by

        10.0.0.0/8 LAN subnet. Wow!

        This can be set in a firewall rule and it's called policy routing.

        I assume the WAN gateway is still your default gateway, so for this route there is no need to do something additional.
        Depending on your VPN setup you have already a VPN gateway, otherwise go to System > Routing and add a VPN gateway. The IP is that one of the other VPN node.
        Then add a firewall rule on LAN interface where you allow the upstream traffic, enter the 10.2.0.0/16 subnet at source, go down and expand the advanced options, go to gateway and select the VPN gateway.
        If you want to ensure, that these hosts can't get out to WAN if the VPN is down, change your default any to any rule to the other source subnet and to WAN gateway.

        1 Reply Last reply Reply Quote 0
        • M
          marvosa
          last edited by

          To answer your question at a high level, once the VPN is assigned to an interface, it should create a gateway which can be used for policy routing.  Also, remember that firewall rules are parsed top-down, so the order of your rules matter.  We would have to see your rules to troubleshoot any further.

          Having answered your question, the first thing you need to address is your LAN subnet.  10.0.0.0/8 is entirely too wide, will cause other routing issues down the road and is possibly contributing to your current issue.  I highly doubt… check that... I know for a fact that you do not have 16+ million hosts on your network.  Even if you did, you wouldn't put them all on the same broadcast domain anyway.

          1 Reply Last reply Reply Quote 0
          • S
            SaroDarksbane
            last edited by

            I've attached some pictures of my configuration.  I'm not clear on, well, basically everything:

            • Under Status -> OpenVPN: When the VPN is connected, it has a "Virtual Address". Where does this address come from? What uses it? Can it/does it need to be configured somehow?
            • Under Interfaces -> VPN_INTERFACE: The guides I've been reading say to put "None" as the IPV4 type of the VPN Interface.  Is that correct?  I don't actually have a third ethernet port on the machine, so I'm assuming this gets configured as some kind of virtual interface?  It's unclear to me what this is actually doing.
            • Under System -> Routing -> Gateways -> VPN_INTERFACE_VPNV4: The gateway is set to "dynamic" by default and can't be changed.  You seemed to indicate that this needed an IP of some sort, is that correct?
            • Under System -> Routing -> Gateways: The VPN gateway has a gateway and monitor IP listed, but it doesn't match the OpenVPN virtual address.  Should it match? Where does this come from?

            Currently, everything still seems to be going through the WAN, rather than the VPN, regardless of IP.  Also, after a few minutes, all traffic through the router ceases entirely, regardless of IP.  The router can still ping out, but clients cannot. Killing the VPN interface and bringing it back up fixes this, even though nothing is apparently going through it anyway . . .

            (On a related note, it boggles my mind somewhat that I can write and understand IPTABLES rules, but somehow nothing about this GUI or how the system functions makes the least bit of sense to me. :P)

            vpn_connection.JPG
            vpn_connection.JPG_thumb
            vpn_interface.jpg
            vpn_interface.jpg_thumb
            vpn_gateway.jpg
            vpn_gateway.jpg_thumb
            system_routing_gateways.JPG
            system_routing_gateways.JPG_thumb
            firewall_rules.JPG
            firewall_rules.JPG_thumb

            1 Reply Last reply Reply Quote 0
            • V
              viragomann
              last edited by

              @SaroDarksbane:

              • Under Status -> OpenVPN: When the VPN is connected, it has a "Virtual Address". Where does this address come from? What uses it? Can it/does it need to be configured somehow?

              The virtual VPN address is pushed to you from the VPN server. There is no need to configure something around it.
              This is the IP of your virtual VPN interface. Any traffic from VPN site destined to you is directed to this address.

              @SaroDarksbane:

              • Under Interfaces -> VPN_INTERFACE: The guides I've been reading say to put "None" as the IPV4 type of the VPN Interface.  Is that correct?  I don't actually have a third ethernet port on the machine, so I'm assuming this gets configured as some kind of virtual interface?  It's unclear to me what this is actually doing.

              As mentioned above the virtual VPN interface is configured by the server. The interface just has to be activated, so it's configured correctly.

              @SaroDarksbane:

              • Under System -> Routing -> Gateways -> VPN_INTERFACE_VPNV4: The gateway is set to "dynamic" by default and can't be changed.  You seemed to indicate that this needed an IP of some sort, is that correct?

              That's okay also.

              @SaroDarksbane:

              • Under System -> Routing -> Gateways: The VPN gateway has a gateway and monitor IP listed, but it doesn't match the OpenVPN virtual address.  Should it match? Where does this come from?

              The monitoring IP is just to show if the gateway is up or down. You can monitor the VPN server IP if it is static.

              @SaroDarksbane:

              Also, after a few minutes, all traffic through the router ceases entirely, regardless of IP.  The router can still ping out, but clients cannot. Killing the VPN interface and bringing it back up fixes this, even though nothing is apparently going through it anyway . . .

              No idea why this should happen.

              But one other point, you also need an outbound NAT rule for the VPN interface. By default pfSense add this automatically, but if you've changed the VPN settings after that, maybe the rules are not updated.
              So post the outbond NAT rules, please.

              1 Reply Last reply Reply Quote 0
              • S
                SaroDarksbane
                last edited by

                So, good news and bad news:

                • After adding an outbound NAT rule for the VPN interface, the VPN connection works when I choose a 10.2.0.0/16 address!
                • But . . . I can no longer get through the WAN interface using a 10.1.0.0/16 address.

                I've attached my outbound NAT rules.

                Also, I noticed when creating the outbound NAT rule that the interface dropdown listed the one I specifically configured ("VPN_INTERFACE") as well as a generic "OpenVPN".  Is that normal?

                outbound_nat_interface_dropdown.jpg_thumb
                outbound_nat_interface_dropdown.jpg
                outbound_nat.jpg_thumb
                outbound_nat.jpg

                1 Reply Last reply Reply Quote 0
                • S
                  SaroDarksbane
                  last edited by

                  Actually, I think I may have fixed it.  Although I was specifically forwarding 10.2.0.0/16 traffic through the VPN interface, the next firewall rule in line was not as specific.  Changing the default rule to send 10.1.0.0/16 traffic specifically through the WAN interface seems to have solved the issue.

                  (Since the VPN provider is also giving my virtual interface an address in the 10.0.0.0/8 range, perhaps the default routing table was getting confused as to the appropriate gateway for 10.1.0.0/16 traffic? Marvosa's objection to my subnet choice may have been prescient, though perhaps not in the way he expected. :P)

                  new_firewall_rules.jpg
                  new_firewall_rules.jpg_thumb

                  1 Reply Last reply Reply Quote 0
                  • V
                    viragomann
                    last edited by

                    @SaroDarksbane:

                    Changing the default rule to send 10.1.0.0/16 traffic specifically through the WAN interface seems to have solved the issue.

                    So obviously the VPN Provider pushes the default route to you.
                    As mentioned above, the suggestion presumed that the WAN gateway is still the default gateway.

                    @SaroDarksbane:

                    (Since the VPN provider is also giving my virtual interface an address in the 10.0.0.0/8 range, perhaps the default routing table was getting confused as to the appropriate gateway for 10.1.0.0/16 traffic? Marvosa's objection to my subnet choice may have been prescient, though perhaps not in the way he expected. :P)

                    You didn't mention your VPN subnet and I couldn't get it out of my crystal ball.

                    You may set your LAN network to a /14 if you only need 10.1.0.0/16 - 10.2.0.0/16

                    1 Reply Last reply Reply Quote 0
                    • S
                      SaroDarksbane
                      last edited by

                      @viragomann:

                      You didn't mention your VPN subnet and I couldn't get it out of my crystal ball.

                      Yeah, I realize now I never spelled it out in my post; it was only present in one of the screenshots.

                      Thanks for all the help!

                      1 Reply Last reply Reply Quote 0
                      • V
                        viragomann
                        last edited by

                        You're right, the gateway. I didn't notice.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.