Policy based routing is ignoring me - how rude! :-)

  • Hi,

    I'd like to route selective hosts from my LAN over a VPN client with NordVPN.  The NordVPN connection appears to be up (OpenVPN) but i'm struggling with what I'd imagined would be the easier part; the policy based routing rule.

    I have a very simple setup: LAN, WAN and now NORDVPN interfaces.  I've created an Alias to contain LAN hosts I want to use the VPN and added a rule on the LAN interface of the firewall rules, immediately beneath the "anti lockout" rule - Source: the hosts in my alias group > use the NORDVPN gateway interface.

    But whenever I launch a browser for testing from any hosts in the Alias group my traffic just continues to go out over my regular WAN interface.

    I've tried restarting the pfSense box just in case, but it's always the same.  Can anyone suggest what I may have missed or am doing wrong?



  • LAYER 8 Global Moderator

    And did you look in your alias table - did you put host names or something that are not resolving?  You can view what is in your alias table under diagnostic, tables

    Why do you have 2 any any ipv4 rules on the bottom?  With one having some sort of rollover on the counter for traffic showing a -784 MB number..

    Also did you clear states of these hosts after you put in rules, or they would just use the current states..

  • Hi,

    And did you look in your alias table - did you put host names or something that are not resolving?

    For testing I currently only have a single host (my own desktop) in the 'NordVPN' Alias table which seems to show up fine via Diagnostics > Table.  The Alias contains my ipv4 private address, not hostname.

    Why do you have 2 any any ipv4 rules on the bottom?  With one having some sort of rollover on the counter for traffic showing a -784 MB number..

    Not sure I put those there - something to do with pfBlocker perhaps?  Happy to get rid of them if you think it will help.  Incidentally I have tried turning off pfBlocker too but it made no difference.

    Also did you clear states of these hosts after you put in rules, or they would just use the current states..

    I didn't explicitly clear states, but I have rebooted the box itself (complete power-cycle) - would states persist after that?


  • LAYER 8 Global Moderator

    So you sure the host your testing from is this  Maybe its IP changed, etc.  You sure your even using 192.168.1 on your lan net? ;)  Don't take that the wrong way have seen users do that ALL the time… I mean a LOT!!!  They don't even know what network they are using - heheh

    As to your 2 bottom rules.. I would get rid of the one showing the rollover on the B count.. Something wrong there!!

    You sure this box is even using pfsense as its gateway?  Its not connected to some wifi network across the street, etc.

  • Hehe - no worries John, always worth checking. :-)  I once had a switch and our main office pfsense come up on the same private IP, that took some debugging….

    My machine is definitely on the correct IP as listed in the table (via Ethernet, so no wifi confusion) and using the pfsense box as its gateway + DNS.

    It's weird I'm showing states and traffic over the the VPN interface according to Firewall Rules > LAN but if I view states via Diagnostics > States > NORDVPN_INTERFACE that shows nothing.

    And - probably unrelated - is it expected that Status > Traffic Graph would show an entry for the VPN INTERFACE I created as well as the OpenVPN Client connection from its "Interface" dropdown list?  I'd have imagined only Interfaces in their strictest sense would be there, not the OpenVPN client as well.



  • LAYER 8 Global Moderator

    Well it is showing states and traffic flowing out that rule.. What about your outbound nat rules?  Did you setup an outbound nat to use your vpn connection?  Could you post those please?

    You can see for example the 2 I created for my vpn connections to my vps, that allow for pfsense to nat inside traffic to the tunnel network it gets from the vpn connection.

  • ok we may be getting somewhere (thanks)

    Currently my Outbound NAT looks like the attached.  Not many similarities with yours at all.

    Have to admit outbound NAT isn't an area I know much about even at the conceptual level.


  • LAYER 8 Global Moderator

    well how would pfsense nat your internal IPs to your tunnel IP so you could use your vpn connection if your not natting your networks behind pfsense to your vpn tunnel IP.. So yeah nothing is going to be able to go out your vpn connection.. Unless it knew to nat say 192.168.1/24

    You need to setup an outbound nat to your vpn interface.  Pretty sure that is listed in the docs to use a client vpn connection.. I will have to doublecheck the docs - but yeah that is a requirement.

    I had one time started some doc in the wiki about creating client connects to your own vpn servers.. But I got side tracked and never got back to it - will have to look through the wiki to see if there is docs on this - I think they are all geared towards running pfsense as your vpn server vs using it as client to public or your own vpn services on the internet.  But yeah you have to tell pfsense how to nat to these IPs to be able to use them.

    With so many people using pfsense as client to vpn services, and wanting to do policy routing - if not there, will have to create something ;)

  • Indeed.

    The good news is that I've managed to achieve the inverse of what I had before our discussion.  My machine - the host specified in the alias group which should traverse the VPN - is now doing so, after creation of outbound NAT rules.  Result!

    Unfortunately no other machines on the same LAN can now reach the public internet, only my machine, the one in the alias group.

    Maybe my LAN rules need attention?  I now have "IF host is a member of the alias group THEN > over the VPN you go" what I need is the "ELSE if host is not a member of the alias group THEN just use the internal routing table to reach the public internet over WAN" Which tbh is how the LAN rules look to me anyway (attached) ?

    Or do I need to add a manual outbound NAT entry for how to handle LAN traffic which isn't a member of my alias group?

    Incidentally the 10.100 mappings I've underlined in the screenshot appeared when I changed from Automatic to Manual NAT (my NORDVPN / OpenVPN-assigned interface address = I didn't add them myself.  All I did in the Outbound NAT screen was to change the Interface options to my NORDVPN interface.


  • LAYER 8 Global Moderator

    Dude well yeah cuz you dicked up your outbound nat ;)

    Change your nat to hybrid and just add a nat above the automatic for your vpn interface.

    If your going to do manual - you have to have nat for your wan interface and your networks.. You don't have anything there other than firewall

    Its easier to just let pfsense do automatic nat for its networks and just in hybrid mode add an outbound nat to be able to use your vpn interface.

Log in to reply