Why was all my traffic routed through VPN



  • Hello Everybody,
    Today I configured my pfSense box to be an OpenVPN client for ProtonVPN. After I had set everything up and created a rule that only the traffic of one computer be routed through the VPN interface, I noticed that traffic from all connected devices was being routed through VPN.
    The Firewall rule set was as follows:

    Protocol Source         Port Destination  Port Gateway               Queue   Schedule Description
    IPv4*        192.168.3.6      *          *          *            ProtonVPN_DHCP      none                  Desktop - Traffic to VPN
    IPv4*        LAN net            *            *          *          *                              none                  Default allow LAN to any rule
    IPv6          LAN net            *          *            *          *                              none                    Default LAN IPv6 to any rule

    I then managed to rectify the problem by editingthe default allow LAN to any rule and changing the gateway to GW_WAN:

    Protocol Source         Port Destination  Port Gateway               Queue   Schedule Description
    IPv4*        192.168.3.6      *          *          *            ProtonVPN_DHCP      none                  Desktop - Traffic to VPN
    IPv4*        LAN net            *            *          *          GW_WAN                  none                  Default allow LAN to any rule
    IPv6          LAN net            *          *            *          *                              none                    Default LAN IPv6 to any rule

    Would someone please be able to explain to me why that happened? Why was the traffic from all connected devices routed through VPN, and not just the traffic for the desktop PC (192.168.3.6)?



  • Presumably the vpn server pushes the default route to you. To prevent that go to the client settings and check "Don't pull routes".



  • Hi viragomann,
    Thanks for your reply. I have ticked "Don't pull routes" in the VPN client settings now and set the default GW for the " Default allow LAN to any" rule to any (*) and now the traffic for my desktop computer is not being routed through the VPN anymore.
    This is my current firewall ruleset:

    Protocol  Source          Port  Destination  Port  Gateway                Queue    Schedule    Description
    IPv4*        192.168.3.6      *          *          *            ProtonVPN_DHCP      none                  Desktop - Traffic to VPN
    IPv4*        LAN net            *            *          *          *                              none                  Default allow LAN to any rule
    IPv6          LAN net            *          *            *          *                              none                    Default LAN IPv6 to any rule

    Any idea why this might be happening? Are there now any static routes I need to add?



  • @MondQ:

    and now the traffic for my desktop computer is not being routed through the VPN anymore.

    You desktop computer is 192.168.3.6?
    Since you have the vpn gateway set in the rule for its upstream traffic, it should go out to vpn, at least IPv4 traffic.

    Consider that new rules doesn't affect existing connections. You'll have to reset states.



  • The desktop is indeed 192.168.3.6 and yes, I did reset the state table when I changed the rules. :)

    I found what the problem was. I tried ticking the "Don't pull routes" routes box again. I then noticed that my ProtonVPN gateway in System > Routing (pfSense 2.4 btw) did not have a gateway and monitor IP, so I restated the OpenVPN service, which fixed the issue as it was then given a gateway and monitor IP again.

    This is the current rule set and it works perfectly:

    Protocol  Source          Port  Destination  Port  Gateway                Queue    Schedule    Description
    IPv4*        192.168.3.6      *          *          *            ProtonVPN_DHCP      none                  Desktop - Traffic to VPN
    IPv4*        LAN net            *            *          *          *                              none                  Default allow LAN to any rule
    IPv6          LAN net            *          *            *          *                              none                    Default LAN IPv6 to any rule

    Thanks for your input.


Log in to reply