Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    OpenVPN routing goes wrong when Gateway Group used in LAN default rule

    Routing and Multi WAN
    3
    4
    737
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      funchords last edited by

      Multi-site setup using OpenVPN to connect four offices in a star topology.  This works.

      192.168.0.0/24 is the center.
      192.168.2.0/24 is one spoke.
      192.168.4.0/24 is one spoke.
      192.168.120.0/24 is one spoke.

      Any machine in all four offices can ping and connect to any machine in any of the four offices.  This all works.

      Now I implement a backup Internet provider.  I get to the part where I edit the default LAN rule in the Firewall > LAN screen to the gateway by changing it to the gateway group, and my VPN stops routing properly.

      Say I'm at 192.168.4.X.  Without the default LAN rule modification, traceroute to 192.168.2.x goes properly to 192.168.4.1, 10.0.4.X, etc …    but with the default LAN rule set to the gateway group, suddenly the VPN route goes out the WAN port instead of routing within the VPN (which appears to stay up but nothing can route within it).

      Any clues?

      1 Reply Last reply Reply Quote 0
      • V
        viragomann last edited by

        With the gateway option in the rule (policy routing) you force the traffic to one of the gateways. This overrides the pfSense routing table.

        To solve, add an additional rule for VPN traffic (put all LANs in an alias and use this as destination in the allow rule) without the gateway option and put it to the top of the rule set.

        1 Reply Last reply Reply Quote 0
        • H
          heper last edited by

          Exactly

          1 Reply Last reply Reply Quote 0
          • F
            funchords last edited by

            @viragomann:

            To solve, add an additional rule for VPN traffic (put all LANs in an alias and use this as destination in the allow rule) without the gateway option and put it to the top of the rule set.

            That worked. Thanks!

            1 Reply Last reply Reply Quote 0
            • First post
              Last post