Firewall VPN-bypass Rules Ignored
-
Network:
ISP - [ADSL modem] - [SG-2440, 2.3.2.p1] - (172.28.x.x) - [Router/SW/WAP] - (192.168.1.x)The Plan:
Configure the SG-2440 with PIA VPN as the default for the entire LAN – except for a few single, static-IP devices such as a media player.Status:
The SG box config (below) for the PIA VPN service sends all traffic through the PIA VPN tunnel but the Firewall exception rules do not provide non-VPN connect for specified IPs. I've been reading / following all the notes and guides I can find in the Forum and elsewhere but obviously I'm missing some details. I'd expected the "top" firewall rule to "send" that IP's traffic via the ADSL (non-VPN) gateway; but it still uses the VPN. Thanks to all for any pointers or links; which would be appreciated.PIA VPN Config:
PIA CA certificate / Port 1198 / OpenVPN (this part works)
Added VPN Gateway:
Interfaces : (assign) : Interface AssignmentsOPT3: Network port: [ovpnc1 (PIA openVPN) ] / Enable / Descr: PIA-VPN
Re-Named: PIAVPNResults:
DSLGW(default) / WAN / ADSL Gateway
PIAVPN_VPNV4 / PIAVPN / 10.62.10.5 / Interface PIAVPN Gateway added
PIAVPN_VPNV6 / PIAVPN / <no ip="">/ Interface PIAVPN Gateway addedCopied all NAT entries: Firewall : NAT : Outbound
Change Interface to [PIAVPN] (were OpenVPN)
Create a 'PASS ALL' Rule for the PIAVPN interface
Pass / PIAVPN / IPv4 / any procol/src/dest
Create a Pass action for all IPv4 traffic thru OpenVPN interface
Pass / OpenVPN / IPv4 / any protocol / Src: LAN net / Dest: any / Gateway: PIAVPN
Added alias 'Roku' for 'exception' case with static IP media player
Added alias 'VPNPath' for all other LAN IPs to use PIA VPN by defaultAdd Firewall Rules:
Pass / LAN / IPv4 / any / Src: Host: Alias: Roku / Gateway: ADSL (top rule)
Pass / LAN / IPv4 / any / Src: Host: IP range / Tag: NO_WAN_EGRESS / Gateway: PIAVPN (next down)Existing all-pass rule:
Pass / LAN / IPv4 / any / Src: LAN net / Gateway: <default>(below the others)
Add Floating Rule:
Reject / Quick / WAN / out / IPv4 / Tagged: NO_WAN_EGRESS / Gateway: ADSL</default></no>