2 WANS (Normal & VPN) All traffic going through one WAN regardless of NAT Rules

  • Currently on my pfsense box I have two WANs.  A normal one to my ISP which I calll WAN and one to my VPN I call VPN WAN.  If I have both interfaces enabled all my traffic goes through the VPN WAN regardless on my NAT rules.  My current NAT rules send all traffic on the VL with ID 20 to the VPN WAN and all traffic on the VL with ID 30 to the WAN.  However using the packet capture tool I was able to see that all my traffic from VL 30 was going through the VPN WAN.  Once I disabled the VPN WAN I was able to see, using the packet capture tool, that all the traffic on VL 30 was correctly going through the WAN.  So next I tried enabling the VPN WAN again to see what happens.  Again using the packet capture tool I saw that all the traffic on VL 30 was going through the WAN.  However now when I checked traffic on VL 20 it was all going through the WAN rather than the VPN WAN per my NAT rules.  Truthfully I am a loss at this point.

  • So upon further inspection this appears to be a gateway problem so I'm not sure if an admin wants to move it or just delete it but I would like to leave the solution I found.  I had to set the specific gate in the firewall rules to get each vlan to use the right gateway.  I'm not sure why the WAN wasnt working as the default gateway even though it says it was in the config.

  • LAYER 8 Netgate

    You probably did not have Don't pull routes in your OpenVPN config to the VPN provider.

    VPN providers pretty much all set redirect-gateway def1 which routes all traffic over the VPN when connected unless you tell the client configuration not to pull routes.

    Outbound NAT does not have any bearing on what gets routed where. It only determines what NAT happens when traffic is sent out that interface.

    Setting a gateway on the firewall rules is called policy routing and is generally preferred over redirect-gateway to send traffic over the VPN.

    But it all depends on what it is you actually want. pfSense can probably be configured to do it.

  • Ok that make a lot of sense! Thanks for teaching me something.

Log in to reply