WoL half broken after setting pfSense up as an OpenVPN client



  • Hey guys!

    This is my first post and I think I'm just missing something somewhat simple, but it has me stumped.

    Backstory: I've had WoL working, from both inside AND outside my LAN to my desktop PC, through an app on my phone.  It's super convenient and works spectacularly.  Whether on my LAN wifi, or external, I can simply wake my desktop PC through this app, which uses my external (public) IP to wake the machine regardless of whether I'm inside or outside my network.

    So that's how things were.  Recently, I decided to set my pfSense box up as an openVPN client with NordVPN (followed this tutorial here: https://nordvpn.com/tutorials/pfsense/pfsense-openvpn/).  While I'm still nailing down a couple minor kinks, it's overall working really really well and I'm loving it.  Unfortunately, I just realized that somehow through this process I broke WoL from working while I'm INSIDE my network (still using the exact same app that I have directed at my public IP).  WoL still works outside my network, but something's fubar'ed internally.

    I tried to search and didn't come up with much, and while I wouldn't consider myself a notice in networking, I'm certainly not an expert either.  I work in IT and I have a sincere passion for not just figuring things out, but understanding why they happened is also a love of mine (and OCD ;) ) so if someone would be able to give me some ideas or pointers here as to what might be going on here I'd be extremely grateful!  Wracking my brain trying to make sense of the "route" a magic packet would take when sent from inside my LAN and I just can't figure it out.  TIA!

    EDIT:  I should also note that I've confirmed I can use my desktops internal IP while inside my LAN with this app and that does work.  However if possible I'd like to get it back to how it was before where I didn't have to think about which WoL command I sent (internal vs external) in the app.  Thanks!

    EDIT 2:  Alright guys I'm really close…but not quite there yet.  I backed up my config, started from scratch reconfiguring the VPN, testing after each step.  I'm 100% certain the following firewall rule I've got under the "LAN" section is what's breaking it.  I figured I could just make a rule right above it, change "destination" to my external (public) IP, and sending it through the default gateway, but for some reason that's not working....the firewall isn't matching on this rule.

    I know I'm real close as if I change the destination to "any" (effectively nullifying my VPN as this rule is above that one) then it once again works.  Problem is I can't figure out what "destination" I'm supposed to use...

    EDIT 3:  Welp, solving this myself kinda defeats the purpose of me posting in the first place, but I managed to get it figured out.  There must be some sort of translation or something going on here that I haven't fully wrapped my brain around just yet - but by turning on logging for the rule I knew my packets were hitting (the NordVPN one that I posted a screenshot of), checking the current internal IP address of my phone, and then sending a raft of WoL requests I was able to find the entries in the logs.  Turns out their "destination" was the internal address of the desktop machine I'm trying to wake.  So once I changed the rule I had created above the NordVPN entry to have a "destination" matching the internal IP of this machine I'm trying to wake things started working again!

    Posting all this here on the chance that someone else happens to run into the same issue, hopefully this can point them in the right direction :)

    TL;DR: Create a firewall rule above the rule that's passing LAN traffic out the VPN, and make the source=LAN Net, Destination=Internal IP of the machine you're trying to wake (or alias with this IP), and Gateway=Default.