VLAN not getting packets back while using vpn gateway

    I've done quite a bit of digging and I'm just completely lost at this point. I've had vlans running on my pf without issues for over a year. Now I finally had time to sit down and setup the vpn connection. Everything works just as expected with the vpn I excluded one laptop going out through the WAN GATEWAY while the rest of the LAN goes out the VPN gateway. I also have specific ports using WAN over VPN and these work just fine. I have two  vlans both going to the same esxi host (2 nics).

    The problem is I can get the assigned IP address and even switching the networks around gives me the expected results. However, in my troubleshooting I identified that the problem on this VPN with getting internet is the vpn gateway. Since I can set the gateway to WAN reboot the vm and it goes out, but when I switched the WAN to VPN gateway the outbound routing looks to be ok. My main machine which uses the VPN as gateway works flawlessly and a laptop on the same network using the WAN gateway works as expected.

    I went and checked the outbound nat (manual) and it's nasty in there but what I be expecting to be in there? I see 3 rules for each interface that I have, WAN, VPN, and HOSTNET (the vlan i'm using) as well as some additional WAN routes but everything is working as expected except for this one part.

    When I run a ping, or curl or try to upgrade my repos in the vm the commands just hang and eventually time out. When I look in the state table it shows 3 connections ( depending) 2 for my DNS and 1 to the ip address I did the curl on. So I know the packets are reaching the firewall at a minimum.

    I would love to get this figured out so I can continue with my testing but I need to solve this gateway issue.

    Any help, recommendations or tips would be appreciated!

  • While talking with someone else they mentioned a GRE tunnel. To my knowledge a GRE needs a L2 device at either end. Since this is OpenVPN on a VLAN GRE wouldn't work.. would it? I mean because I can't assign a VLAN tag and a GRE tunnel to the same interface - correct?  :-\

