Specifying 1 network on 1 interface tunnels the whole network



  • Hello so this is my delema. I have a linode server outside of Canada (Florida to be specific) now due to my ISP double NAT I beloved this might be a possible chance to bypass such an issue with the network I want to make available to the world (ie. My DMZ) now I have 4 networks on 4 seperate ports. My wan interface (192.168.0.0) my standard home usage for family (192.168.1.0) my dmz(192.168.2.0) and finaly my direct access for maintenance port via console (192.168.3.0) I have applied the rules to assure these networks cannot speak to each other and as a added step my layer 3 switch has each of these networks (if using) on seperate vlans. The vpn successfully works with open vpn, the configurations all work and the handshake goes withought a hitch. However even though I specify the 2.0 network in the remote ipv4 section it tunnels the entire network. This is an issue due to online services that block vpn and antiblock connections or software. So my question is, is there an option or section I have missed that is doing this? Or is it a error in pfsense that specifying the network to tunnel doesn't actually matter and will run me the entire network regardless


  • Rebel Alliance Global Moderator

    "I have applied the rules to assure these networks cannot speak to each other and as a added step my layer 3 switch has each of these networks (if using) on seperate vlans."

    Huh.. pfsense would have nothing to do with controlling traffic between segments if you have a downstream layer 3 doing the routing.  What is your transit network between pfsense and this L3 (router)?

    So your pfsense has wan has rfc1918 address, so what does your pfsense plug into?  Some ISP router that nats a public to 192.168.0?  Or you saying ISP is also doing carrier grade nat and your router in front of pfsense has a another rfc1918 on its wan?

    But your goal is to have a vpn from your pfsense to your vpn server you run on a vps - and users access this vps public IP get forwarded down the tunnel to your box sitting on your dmz?  That sounds like it is your goal..



  • the over all final goal is that my isp uses 4G LTE with double nating and combining users to 1 dynamic ip (ie. 500 customers have the same public ip address). in turn i cannot access my servers properly without headache and instability. so my thought was to create a VPN access server with linode using debian 8 and connect my pfsense machine with a tunnel BUT… only send DMZ server network threw the vpn instead of all of it. i have tried modifying the NAT ruling on my side to try and send the LAN threw the original wan and the dmz network threw the OpenVPN port. but it seems no matter what i try, the OpenVPN virtual port will take full control of the WAN port and not allow anything threw (ie. when the modified rule is applied my dmz network indeed goes threw the vpn, but my lan network gets completely blocked)


  • Rebel Alliance Global Moderator

    Are you pulling default routes from your vpn server your running.. Then yeah it would route all traffic through your vpn..

    If you want your dmz machines to use the tunnel and your other machines to use your that is basic policy routing.. Just send the dmz or any IP you want out your gateway you created for the vpn connection.  Let your other clients just the normal routing of pfsense which should send it out your wan, etc.