How to bypass VPN for specific ip range??

  • I have a VPN setup on PFsense and it is routing ALL of my traffic as one would expect through the VPN. There are a few instances where I would like to bypass the VPN for a specific IP range or even individual IPs, whichever will work.

    I followed this tutorial on setting it up:

    Can someone point me in the right direction on how to achieve this?

  • I have found a way and it works, however it seems that I can only do a single IP at a time in the firewall rules. Is there a way for me to specify a range? For example, through

    I've added a LAN Firewall Rule, chosen pass, advanced gateway and chose the WAN and NOT the vpn. I then chose single/host as the destination and input an IP address. This allowed it to pass by the VPN

  • LAYER 8 Netgate

    You are bypassing policy routing. That is completely normal:

    Yes, you can bypass for ranges. Make an alias containing the IP addresses you want to bypass and use that alias as the source address in the firewall rule.

  • THANKS!! I ended up created about 7-8 individual rules, but I may create an alias as you suggested to clean things up a bit.

  • I would strongly 2nd Derelict…make an alias! Super easy to do and more importantly super easy to maintain.

  • Yup. That's what I did this morning. It was super easy. I created the alias and deleted the individual rules. Now I have a decent IP range that I can either statically assign clients or have the DHCP server give them IPs based on mac address, which I have for about 7 items on the network right now.

  • LAYER 8 Netgate

    Pro-tip: make things like this fall into a CIDR range so you can not only do it with an alias, but the alias can be simpler.

    Like make your "special" devices addressed as through Then you can just use

    That makes a lot more sense than using, say, .100 - .150

  • You've lost me now  ;D

    I was just wondering last night what the significance of the suffix- 24, 32 etc…

Log in to reply