Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Firewall VPN-bypass Rules Ignored

    Scheduled Pinned Locked Moved OpenVPN
    1 Posts 1 Posters 680 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C Offline
      CTrax
      last edited by

      Network:
      ISP - [ADSL modem] - [SG-2440, 2.3.2.p1] - (172.28.x.x) - [Router/SW/WAP] - (192.168.1.x)

      The Plan:
      Configure the SG-2440 with PIA VPN as the default for the entire LAN – except for a few single, static-IP devices such as a media player.

      Status:
      The SG box config (below) for the PIA VPN service sends all traffic through the PIA VPN tunnel but the Firewall exception rules do not provide non-VPN connect for specified IPs. I've been reading / following all the notes and guides I can find in the Forum and elsewhere but obviously I'm missing some details. I'd expected the "top" firewall rule to "send" that IP's traffic via the ADSL (non-VPN) gateway; but it still uses the VPN. Thanks to all for any pointers or links; which would be appreciated.

      PIA VPN Config:

      PIA CA certificate / Port 1198 / OpenVPN (this part works)

      Added VPN Gateway:
      Interfaces : (assign) : Interface Assignments

      OPT3: Network port: [ovpnc1 (PIA openVPN) ] / Enable / Descr: PIA-VPN
      Re-Named: PIAVPN

      Results:

      DSLGW(default) / WAN / ADSL Gateway
      PIAVPN_VPNV4 / PIAVPN / 10.62.10.5 / Interface PIAVPN Gateway added
      PIAVPN_VPNV6 / PIAVPN / <no ip="">/ Interface PIAVPN Gateway added

      Copied all NAT entries: Firewall : NAT : Outbound

      Change Interface to [PIAVPN] (were OpenVPN)

      Create a 'PASS ALL' Rule for the PIAVPN interface

      Pass / PIAVPN / IPv4 / any procol/src/dest

      Create a Pass action for all IPv4 traffic thru OpenVPN interface

      Pass / OpenVPN / IPv4 / any protocol / Src: LAN net / Dest: any / Gateway: PIAVPN

      Added alias 'Roku' for 'exception' case with static IP media player
      Added alias 'VPNPath' for all other LAN IPs to use PIA VPN by default

      Add Firewall Rules:

      Pass / LAN / IPv4 / any / Src: Host: Alias: Roku / Gateway: ADSL (top rule)
      Pass / LAN / IPv4 / any / Src: Host: IP range / Tag: NO_WAN_EGRESS / Gateway: PIAVPN (next down)

      Existing all-pass rule:

      Pass / LAN / IPv4 / any / Src: LAN net / Gateway: <default>(below the others)

      Add Floating Rule:

      Reject / Quick / WAN / out / IPv4 / Tagged: NO_WAN_EGRESS / Gateway: ADSL</default></no>

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.