Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Policy based routing is ignoring me - how rude! :-)

    General pfSense Questions
    2
    10
    1.1k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      steveharman
      last edited by

      Hi,

      I'd like to route selective hosts from my LAN over a VPN client with NordVPN.  The NordVPN connection appears to be up (OpenVPN) but i'm struggling with what I'd imagined would be the easier part; the policy based routing rule.

      I have a very simple setup: LAN, WAN and now NORDVPN interfaces.  I've created an Alias to contain LAN hosts I want to use the VPN and added a rule on the LAN interface of the firewall rules, immediately beneath the "anti lockout" rule - Source: the hosts in my alias group > use the NORDVPN gateway interface.

      But whenever I launch a browser for testing from any hosts in the Alias group my traffic just continues to go out over my regular WAN interface.

      I've tried restarting the pfSense box just in case, but it's always the same.  Can anyone suggest what I may have missed or am doing wrong?

      Thanks,

      Steve
      pfsense1.png
      pfsense1.png_thumb
      pfsense2.png
      pfsense2.png_thumb
      pfsense3.png
      pfsense3.png_thumb

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        And did you look in your alias table - did you put host names or something that are not resolving?  You can view what is in your alias table under diagnostic, tables

        Why do you have 2 any any ipv4 rules on the bottom?  With one having some sort of rollover on the counter for traffic showing a -784 MB number..

        Also did you clear states of these hosts after you put in rules, or they would just use the current states..

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

        1 Reply Last reply Reply Quote 0
        • S
          steveharman
          last edited by

          Hi,

          And did you look in your alias table - did you put host names or something that are not resolving?

          For testing I currently only have a single host (my own desktop) in the 'NordVPN' Alias table which seems to show up fine via Diagnostics > Table.  The Alias contains my ipv4 private address, not hostname.

          Why do you have 2 any any ipv4 rules on the bottom?  With one having some sort of rollover on the counter for traffic showing a -784 MB number..

          Not sure I put those there - something to do with pfBlocker perhaps?  Happy to get rid of them if you think it will help.  Incidentally I have tried turning off pfBlocker too but it made no difference.

          Also did you clear states of these hosts after you put in rules, or they would just use the current states..

          I didn't explicitly clear states, but I have rebooted the box itself (complete power-cycle) - would states persist after that?

          Steve

          pfsense_table.png
          pfsense_table.png_thumb

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            So you sure the host your testing from is this 192.168.1.58?  Maybe its IP changed, etc.  You sure your even using 192.168.1 on your lan net? ;)  Don't take that the wrong way have seen users do that ALL the time… I mean a LOT!!!  They don't even know what network they are using - heheh

            As to your 2 bottom rules.. I would get rid of the one showing the rollover on the B count.. Something wrong there!!

            You sure this 192.168.1.58 box is even using pfsense as its gateway?  Its not connected to some wifi network across the street, etc.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.7.2, 24.11

            1 Reply Last reply Reply Quote 0
            • S
              steveharman
              last edited by

              Hehe - no worries John, always worth checking. :-)  I once had a switch and our main office pfsense come up on the same private IP, that took some debugging….

              My machine is definitely on the correct IP as listed in the table (via Ethernet, so no wifi confusion) and using the pfsense box as its gateway + DNS.

              It's weird I'm showing states and traffic over the the VPN interface according to Firewall Rules > LAN but if I view states via Diagnostics > States > NORDVPN_INTERFACE that shows nothing.

              And - probably unrelated - is it expected that Status > Traffic Graph would show an entry for the VPN INTERFACE I created as well as the OpenVPN Client connection from its "Interface" dropdown list?  I'd have imagined only Interfaces in their strictest sense would be there, not the OpenVPN client as well.

              Cheers,

              Steve

              OpenVPN_Interface.png
              OpenVPN_Interface.png_thumb
              no_States.png
              no_States.png_thumb
              vpn_traffic.png
              vpn_traffic.png_thumb
              Network.png
              Network.png_thumb

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                Well it is showing states and traffic flowing out that rule.. What about your outbound nat rules?  Did you setup an outbound nat to use your vpn connection?  Could you post those please?

                You can see for example the 2 I created for my vpn connections to my vps, that allow for pfsense to nat inside traffic to the tunnel network it gets from the vpn connection.

                outboundnat.png
                outboundnat.png_thumb

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                1 Reply Last reply Reply Quote 0
                • S
                  steveharman
                  last edited by

                  ok we may be getting somewhere (thanks)

                  Currently my Outbound NAT looks like the attached.  Not many similarities with yours at all.

                  Have to admit outbound NAT isn't an area I know much about even at the conceptual level.

                  Steve

                  outbound_NAT.png
                  outbound_NAT.png_thumb

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator
                    last edited by

                    well how would pfsense nat your internal IPs to your tunnel IP so you could use your vpn connection if your not natting your networks behind pfsense to your vpn tunnel IP.. So yeah nothing is going to be able to go out your vpn connection.. Unless it knew to nat say 192.168.1/24

                    You need to setup an outbound nat to your vpn interface.  Pretty sure that is listed in the docs to use a client vpn connection.. I will have to doublecheck the docs - but yeah that is a requirement.

                    I had one time started some doc in the wiki about creating client connects to your own vpn servers.. But I got side tracked and never got back to it - will have to look through the wiki to see if there is docs on this - I think they are all geared towards running pfsense as your vpn server vs using it as client to public or your own vpn services on the internet.  But yeah you have to tell pfsense how to nat to these IPs to be able to use them.

                    With so many people using pfsense as client to vpn services, and wanting to do policy routing - if not there, will have to create something ;)

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                    1 Reply Last reply Reply Quote 0
                    • S
                      steveharman
                      last edited by

                      Indeed.

                      The good news is that I've managed to achieve the inverse of what I had before our discussion.  My machine - the host specified in the alias group which should traverse the VPN - is now doing so, after creation of outbound NAT rules.  Result!

                      Unfortunately no other machines on the same LAN can now reach the public internet, only my machine, the one in the alias group.

                      Maybe my LAN rules need attention?  I now have "IF host is a member of the alias group THEN > over the VPN you go" what I need is the "ELSE if host is not a member of the alias group THEN just use the internal routing table to reach the public internet over WAN" Which tbh is how the LAN rules look to me anyway (attached) ?

                      Or do I need to add a manual outbound NAT entry for how to handle LAN traffic which isn't a member of my alias group?

                      Incidentally the 10.100 mappings I've underlined in the screenshot appeared when I changed from Automatic to Manual NAT (my NORDVPN / OpenVPN-assigned interface address = 10.8.8.5) I didn't add them myself.  All I did in the Outbound NAT screen was to change the Interface options to my NORDVPN interface.

                      Steve

                      Dashboard.png
                      Dashboard.png_thumb
                      Outbound_NAT.png
                      Outbound_NAT.png_thumb
                      LAN_Rules.png
                      LAN_Rules.png_thumb

                      1 Reply Last reply Reply Quote 0
                      • johnpozJ
                        johnpoz LAYER 8 Global Moderator
                        last edited by

                        Dude well yeah cuz you dicked up your outbound nat ;)

                        Change your nat to hybrid and just add a nat above the automatic for your vpn interface.

                        If your going to do manual - you have to have nat for your wan interface and your networks.. You don't have anything there other than firewall 127.0.0.1..

                        Its easier to just let pfsense do automatic nat for its networks and just in hybrid mode add an outbound nat to be able to use your vpn interface.

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.