Selective routing via VPN interface



  • I recently set up my pfSense router and I am still getting myself acquainted with all the different screens and features. But I have a few questions:

    I set up a VPN interface and used this tutorial to set it up :  https://nordvpn.com/tutorials/pfsense/pfsense-openvpn/

    Everything works as it should. However, I was hoping to bypass the VPN for 2 IP addresses on my network. One for my work laptop because going through 2 VPNs really slows down things and I keep getting disconnected from my work remote machines. And second for my TV which we use for Netflix. How would I do this in pfSense ?

    Secondly, is there an easy way to switch between servers, so that I can get past geo-location of certain websites? I currently used a US based server using the CA.crt and TLS-key of that server, but would the only option be to keep changing those each time I wanted to change a server? Or does pfSense support creating multiple interfaces with different server settings and then simply toggling between them?

    Finally, I converted my Netgear WNR3500L router (using DD-WRT firmware) into an AP. For this, on the Setup page, I changed the WAN connection type from DHCP to Disabled. and further down on the same page, I disabled the 'DHCP Server' radio button. But it seems that my WiFi has become a bit slow. Now all my wireless devices take noticeably longer to load pages. Is there any other setting in DD-WRT that needs to be set/unset ?

    I know the last question is more of a DD-WRT question than pfSense, but I am hoping someone here might have done something similar and help me out.



  • easiest way I've found to segment traffic over VPN or out the ISP is to use gateways. Default VPN, but add rules to move traffic from LAN specific IPs to the ISP gateway. It works quite well, and I don't have to do it for just static lan IPs I can and do have rules setup for specific ports (steam games, blizzard).

    As far as the netflix, I use multiple wifi networks, One is a streaming network which only goes out the ISP which has the Roku's and firesticks. The other is routing through the VPN.



  • Thanks. Is there a tutorial on how to go about doing this? I set up static IPs for all my devices thinking I would need to specify which IPs need to go via the VPN interface. But if I can simply exclude a couple of IPs then I'd rather set static IP on those 2 devices and have other machines use DHCP.



  • Inxsible,
    I can't speak to your DD-WRT problem but maybe it the VPN?

    Regarding the rules, some tools, settings and tips that might help you(that helped me) are:

    1. Rules are applied from the top down, i.e. if you want something blocked or passed, order does matter.
    2. Create some "Aliases" (Firewall -> Aliases) with your static devices IPs by "Gateway" i.e. "VPN devices"(List of all your devices static IPs that you want out the VPN) and "ISP devices" alias.
    3. Create an alias for "Internet Ports" i.e. basic internet ports are 443, 80, 53(a few other ones that will help with your functionality and might be required for your work PC), leave it as "any" if you trust your devices more then me.
    4. Go to Status -> System logs -> Firewall as you change rules to see what is blocked and passed.
    5. Go to Status -> Filter Reload and hit reload after rule changes as I think this makes sure they are in effect(?), go to Diagnostics -> States and reset all states after rule changes…wish I had known this earlier

    For a simple setup your rules could look like the following:

    VPN Device rule:
    Address Family - IPv4+IPv6 (I don't use IPv6)
    Protocol - TCP/UDP

    Source - "Single host or alias" then type in the name of your alias "VPN devices"
    Destination - "Single host or alias" then type in the name of your alias "Internet Ports"

    Now you specify the "Gateway" by hitting the "Display Advanced" button, look for the "Gateway" drop down and choose your gateway, in this example it is "NordVPN VPN" or what ever name you gave your VPN interface.

    ISP Device rule:
    Same as above, except use your "ISP devices" alias and choose your WAN :In my case "WAN_DHCP - My ISP IP"

    Look at my posts with answers from some great folks who helped me out....but the above will get you going and I think better then the defaults "Any/Any" rules. When you start getting into DNS resolvers, more privacy, more restricted rules, IOT devices on a seperate network things get more complicated then above.

    Hope this helps...

    V



  • Thanks V3lcr0, I will try this out and post back in a day or so.



  • Hi V3lcr0,

    Since i want all my devices – except my work laptop and my TV -- to go through the VPN interface, can't i just create an alias for ISP_DEVICES and assign static IPs to those 2 devices ? That way, I don't have to assign static IP to my devices that i want to go through VPN. Will this work or do I have to create an alias for my VPN_DEVICES as well?

    Also when the rules are applied "top-down" does that mean the top rules get priority or the other way around?


  • Netgate

    @Inxsible:

    Hi V3lcr0,

    Since i want all my devices – except my work laptop and my TV -- to go through the VPN interface, can't i just create an alias for ISP_DEVICES and assign static IPs to those 2 devices ? That way, I don't have to assign static IP to my devices that i want to go through VPN. Will this work or do I have to create an alias for my VPN_DEVICES as well?

    Yes. But it depends on whether you are accepting a default route from the VPN provider.

    If you are NOT accepting a default route from the VPN provider then:

    Make an alias for those two devices and, above the VPN policy routing rule, make a rule using that alias as the source with no gateway set.

    If you ARE accepting a default route from the VPN provider then:

    Make an alias for those two devices and, above the VPN policy routing rule, make a rule using that alias as the source and set the gateway on that rule to the appropriate WAN_GW.

    Also when the rules are applied "top-down" does that mean the top rules get priority or the other way around?

    When a packet is being processed it is compared to the rules from the top down. When a rule matches, that action (pass, reject, block) is taken, and processing moves to the next packet, starting at the top again.



  • @Derelict:

    @Inxsible:

    Hi V3lcr0,

    Since i want all my devices – except my work laptop and my TV -- to go through the VPN interface, can't i just create an alias for ISP_DEVICES and assign static IPs to those 2 devices ? That way, I don't have to assign static IP to my devices that i want to go through VPN. Will this work or do I have to create an alias for my VPN_DEVICES as well?

    Yes. But it depends on whether you are accepting a default route from the VPN provider.

    If you are NOT accepting a default route from the VPN provider then:

    Make an alias for those two devices and, above the VPN policy routing rule, make a rule using that alias as the source with no gateway set.

    If you ARE accepting a default route from the VPN provider then:

    Make an alias for those two devices and, above the VPN policy routing rule, make a rule using that alias as the source and set the gateway on that rule to the appropriate WAN_GW.

    I have tried both ways. Using "default" as Gateway – that is not changing it at all and also using the WAN_DHCP option. I put the rule under Firewall-->Rules-->LAN right above the only rule i have for my VPN (which was probably created when I followed the setup article listed in my first post)

    What happens is, the IP that is listed in my alias stops getting internet completely in both cases. I get ERR_CONNECTION_TIMED_OUT when visiting any and all websites. The other devices on my network can access the internet just fine via my VPN interface. whatsmyip shows me my VPN IP address.

    @Derelict:

    Also when the rules are applied "top-down" does that mean the top rules get priority or the other way around?

    When a packet is being processed it is compared to the rules from the top down. When a rule matches, that action (pass, reject, block) is taken, and processing moves to the next packet, starting at the top again.

    Thanks.


  • Netgate

    Must me configuring your rules wrong because this works every time and does exactly as it's told.

    You'll probably have to post screenshots of your rules at least.



  • @Derelict:

    Must me configuring your rules wrong because this works every time and does exactly as it's told.

    You'll probably have to post screenshots of your rules at least.

    Ok. I'll do that later tonight. Thanks for the help.



  • Looking for more understanding in this, I stumbled across this thread :  https://forum.pfsense.org/index.php?topic=105810.0

    which seems to be doing exactly what I need. I did the exact same thing and it didn't work. Maybe I have to look at my settings a bit more thoroughly. But in the meantime, I wanted a clarification.

    Derelict, in that thread, you advocate not using the Floating rules and simply creating the VPN rule which will tag NO_WAN_EGRESS on the packets that need to go out the VPN interface. Having followed the NordVPN tutorial listed in my first post, it seems like I have accepted a default route to VPN.

    Would it be beneficial or simpler to not do it that way and simply create a VPN interface (without doing anything else listed in the NordVPN tutorial) and then using just the Firewall –> Rules --> LAN to create 2 rules. 1 for VPN_devices (tagged with NO_WAN_EGRESS) and 1 for WAN_devices (for my work laptop and my TV)

    If so, please let me know. I would rather follow the pfSense way of doing things than following hack-job tutorials that differ with every VPN provider.


  • Netgate

    The NO_WAN_EGRESS tags must be blocked out WAN using a floating rule, so you are misreading, apparently.

    The gist is:

    If you route traffic for the VPN, tag it at the same time.

    Block anything tagged as such from egressing WAN.



  • Got it. Trying it out now…

    Thanks for sticking by me...



  • I just can't get this going. Here's how I set this up :

    Firewall Rule 1 and Firewall Rule 2 are screenshots of how I set up the rule.

    Firewall Rule Setup indicates I have that rule above my default VPN rule that goes via the VPN interface.

    My alias – wan_devices -- is set up as a Hosts with 1 IP for my work laptop

    The minute I save the Firewall rule, my work laptop doesn't get any internet connection. This leads me to believe that the rule is catching the IP correctly. The only thing I can think of now is that the NordVPN tutorial probably set it in a way where nothing goes out of the WAN.

    If there is a way to just create a VPN interface and not follow anything in the NordVPN tutorial and simply do this via Firewall rules, then that would be best.

    What am I doing wrong ???

    ![Firewall Rule 1.png](/public/imported_attachments/1/Firewall Rule 1.png)
    ![Firewall Rule 1.png_thumb](/public/imported_attachments/1/Firewall Rule 1.png_thumb)
    ![Firewall Rule 2.png](/public/imported_attachments/1/Firewall Rule 2.png)
    ![Firewall Rule 2.png_thumb](/public/imported_attachments/1/Firewall Rule 2.png_thumb)
    ![Firewall Rule setup.png](/public/imported_attachments/1/Firewall Rule setup.png)
    ![Firewall Rule setup.png_thumb](/public/imported_attachments/1/Firewall Rule setup.png_thumb)



  • The 2nd rule is definitely getting hit because it's showing 20 states. Is your Outbound NAT set to auto? Post screenshots of outbound NAT, issue might be there…



  • Here's the outbound NAT:

    ![Outbound NAT.png](/public/imported_attachments/1/Outbound NAT.png)
    ![Outbound NAT.png_thumb](/public/imported_attachments/1/Outbound NAT.png_thumb)



  • Yeah, that's not gonna work… You're NAT'ting everything out your NORDVPN interface. You need to change that to WAN and then add a more restrictive Outbound NAT rule that only rewrites the addresses for your VPN alias group to the NORDVPN address, or you can do it the other way around but the point is you need 2 rules there...



  • thanks luckman212,

    The NAT'ting everything out the NORDVPN interface was done by the tutorial that I followed from NordVPN. I would rather do what is correct than trying to circumvent the NordVPN tutorial. What would be the recommended way?

    • Do you think I should default everything out my WAN and create an Alias for all my VPN devices or

    • default everything out my VPN and create an Alias for my WAN devices?

    I want only 2 devices out my WAN, rest all via VPN. So option 2 would mean setting static IPs to only 2 devices vs the first option where I would have to set static IPs for almost all my devices.

    Should I just "factory reset" my pfSense, in order to get rid of everything that the NordVPN tutorial did and start over in the right way ?



  • You are not "circumventing" anything. The tutorial just doesn't cover your particular case but there is nothing "wrong" about what I am suggesting here. Yes in your case I would go with option #2 - just define your alias for devices that you want to route normally (bypass VPN) and then set up outbound NAT based on that.



  • Thank you again luckman212. Creating a NAT rule for WAN helped me out. Now i have my work laptop showing me my ISP IP on whatsmyip and other devices on my network showing me my VPN IP.

    Exactly what I wanted.

    Just a quick question: If I add my TV's IP to my wan_devices alias, that should also allow it to go out via my ISP? At that point I don't have to do anything with NAT rules correct?



  • Correct  from this point on you can manage everything through your aliases as long as you do not add any additional network interfaces or VLANs. Glad you got things working!



  • Wonderful. Thank you again for sticking by a novice like me.