OpenVPN routing goes wrong when Gateway Group used in LAN default rule

funchords

Multi-site setup using OpenVPN to connect four offices in a star topology.  This works.

192.168.0.0/24 is the center.
192.168.2.0/24 is one spoke.
192.168.4.0/24 is one spoke.
192.168.120.0/24 is one spoke.

Any machine in all four offices can ping and connect to any machine in any of the four offices.  This all works.

Now I implement a backup Internet provider.  I get to the part where I edit the default LAN rule in the Firewall > LAN screen to the gateway by changing it to the gateway group, and my VPN stops routing properly.

Say I'm at 192.168.4.X.  Without the default LAN rule modification, traceroute to 192.168.2.x goes properly to 192.168.4.1, 10.0.4.X, etc …    but with the default LAN rule set to the gateway group, suddenly the VPN route goes out the WAN port instead of routing within the VPN (which appears to stay up but nothing can route within it).

Any clues?

viragomann

With the gateway option in the rule (policy routing) you force the traffic to one of the gateways. This overrides the pfSense routing table.

To solve, add an additional rule for VPN traffic (put all LANs in an alias and use this as destination in the allow rule) without the gateway option and put it to the top of the rule set.

heper

Exactly

funchords

@viragomann:

To solve, add an additional rule for VPN traffic (put all LANs in an alias and use this as destination in the allow rule) without the gateway option and put it to the top of the rule set.

That worked. Thanks!