Firewall VPN-bypass Rules Ignored



  • Network:
    ISP - [ADSL modem] - [SG-2440, 2.3.2.p1] - (172.28.x.x) - [Router/SW/WAP] - (192.168.1.x)

    The Plan:
    Configure the SG-2440 with PIA VPN as the default for the entire LAN – except for a few single, static-IP devices such as a media player.

    Status:
    The SG box config (below) for the PIA VPN service sends all traffic through the PIA VPN tunnel but the Firewall exception rules do not provide non-VPN connect for specified IPs. I've been reading / following all the notes and guides I can find in the Forum and elsewhere but obviously I'm missing some details. I'd expected the "top" firewall rule to "send" that IP's traffic via the ADSL (non-VPN) gateway; but it still uses the VPN. Thanks to all for any pointers or links; which would be appreciated.

    PIA VPN Config:

    PIA CA certificate / Port 1198 / OpenVPN (this part works)

    Added VPN Gateway:
    Interfaces : (assign) : Interface Assignments

    OPT3: Network port: [ovpnc1 (PIA openVPN) ] / Enable / Descr: PIA-VPN
    Re-Named: PIAVPN

    Results:

    DSLGW(default) / WAN / ADSL Gateway
    PIAVPN_VPNV4 / PIAVPN / 10.62.10.5 / Interface PIAVPN Gateway added
    PIAVPN_VPNV6 / PIAVPN / <no ip="">/ Interface PIAVPN Gateway added

    Copied all NAT entries: Firewall : NAT : Outbound

    Change Interface to [PIAVPN] (were OpenVPN)

    Create a 'PASS ALL' Rule for the PIAVPN interface

    Pass / PIAVPN / IPv4 / any procol/src/dest

    Create a Pass action for all IPv4 traffic thru OpenVPN interface

    Pass / OpenVPN / IPv4 / any protocol / Src: LAN net / Dest: any / Gateway: PIAVPN

    Added alias 'Roku' for 'exception' case with static IP media player
    Added alias 'VPNPath' for all other LAN IPs to use PIA VPN by default

    Add Firewall Rules:

    Pass / LAN / IPv4 / any / Src: Host: Alias: Roku / Gateway: ADSL (top rule)
    Pass / LAN / IPv4 / any / Src: Host: IP range / Tag: NO_WAN_EGRESS / Gateway: PIAVPN (next down)

    Existing all-pass rule:

    Pass / LAN / IPv4 / any / Src: LAN net / Gateway: <default>(below the others)

    Add Floating Rule:

    Reject / Quick / WAN / out / IPv4 / Tagged: NO_WAN_EGRESS / Gateway: ADSL</default></no>


Log in to reply