Howto opt out one address from OpenVPN? - Solved

  • Hi All

    I've got pfSense all set up and running great and I've also installed OpenVPN on it to connect to ExpressVPN. So far so good.

    The problem is that Netflix is refusing to connect when I use the VPN so I've been turning off the OpenVPN client for that subnet at night to watch TV. It's a PITA to have to stop and restart it every time someone in the house wants to watch TV.

    Is there a way to use the firewall rules to route one particular address directly to WAN without it going through the VPN? That way I could leave the OpenVPN client running all the time and still watch Netflix.

    My Interfaces are called:

    WAN (connected to the telco ADSL box)(soon to be fibre optic :-)  )
    LAN (connected to a Catalyst 3560 switch for all of the wired computers)
    Wireless (an added ethernet card in the server that connects to a Cisco EA3500 in Bridge mode for all the wireless devices)

    LAN is one subnet and Wireless is another, pfSense runs a DHCP server on each but they don't overlap.

    The LAN subnet is routed through the ExpressVPN Vancouver Interface
    The Wireless subnet is routed through the ExpressVPN Denver Interface

    So…. I thought I could add rules to Wireless and WAN to route a single device through without any VPN:

    I tried:

    Pass, Interface=Wireless, Source=Singlehost-, Destination=any, Gateway=WAN

    Pass, Interface=WAN, Source=WANnet, Destination=Singlehost-, Gateway=WAN

    NAT Entry: Interface=WAN, Source=Network-, Destination=any, Translation=Interface address

    I put all the new rules at the top of the list, saved and applied the changes.

    Any idea what I screwed up?


  • I got this working.

    I had way too many rules it seems, I followed a tutorial when I set things up that told me that for every rule I create on one interface like LAN I had to create the mirror on it's destination. I just disabled half my rules and everything is running fine.

    To opt out the one device I made one rule:

    Pass, Interface=Wireless, Source=Singlehost-, Destination=any, Gateway=WAN

    No extra NAT rules or anything else and it works great

Log in to reply