SOLVED - Single WAN/Multi Subnet Traffic Issue

  • I've got 5 physical NICs in my pf box for 5 separate subnets, and that all seems to be fine.

    One of the subnets is for clients needed OpenVPN, and THAT is working without issue.

    I have found today that 2 of the subnets, upon attempting to grant WAN/Internet access are not getting anywhere. Upon checking the firewall logs, it seems the traffic is leaving the OpenVPN interface (not subnet>WAN as I believe it should). I believe I have messed up a NAT rule somewhere when moving between Hybrid and Auto.


    WAN IP: (DMZ'd from my ISP router)
    Sub 1: (guests)
    Sub 2: (Cisco Voice)
    Sub 3: (Private Internet Access Client Subnet)
    Sub 4: (Dev/Test)
    Sub 5: (IoT Subnet)

    Up until today, only the PIA/Sub 3 needed WAN access and I have not had an issue. Today, I attempted to give a guest some net access (Sub 1) and they were unable to get anywhere. Not a DNS issue as they could not ping via IP either.

    I have 2 rules for that subnet - the anti lockout LAN rule, and a IPv4 * * rule (allow all). The traffic in the Firewall log is showing as passed, but it is showing as coming from the OPENVPN Interface, not the GLAN (guest interface). What am I missing?!?

    I have uploaded some photos from the Interfaces, Firewall Status, Rules and NAT pages. Please let me know if there is more info that would be helpful!

  • Guess, you get the default route pushed from the PIA server.

    If so, go the the vpn client settings and check "Don't pull routes".
    To direct traffic to PIA you have to set policy routing rules, if you haven't already done that.

  • Thank you very much! The net is now fixed on the subs that I have allowed. The change took down the VPN dedicated subnet, but I will look in to the policy routing you mentioned.

    Thanks again.

  • Policy routing setup and seems to be working.

    I am not sure the NO_WAN_EGRESS is working yet, but I will confirm and tweak today.

    Thanks again for the assistance.

Log in to reply