Routing certain ips through openvpn
-
Thanks! Everything seems to be going out via openvpn until I turn off openvpn
If I removed the openvpn Nat rules the connection stops altogether
I want everything to go straight out to the Internet apart from the devices I want to go through openvpn
Thanks again
-
That is to be done by policy routing.
The PIA outbound NAT rule is needed, otherwise your devices want get any response from PIA.You have to avoid to get pushed the default route by PIA server: Go to the client settings and check "Don't pull routes".
Add your devices which should be routed out to PIA to an alias.
Add a firewall pass rule to the LAN interface with source = the alias you've added first, dest = any, go down and open the advanced options, at gateway select the PIA gateway.
Put that rule to the top of the rule set.Consider that this firewall rule directs any traffic from concerned devices to PIA and permits access to the firewall itself. So if the devices should also have access to pfSense, e.g. for DNS, you have to add additional rules for that to the top of the rule set with leaving the gateway blank.
-
That is to be done by policy routing.
The PIA outbound NAT rule is needed, otherwise your devices want get any response from PIA.You have to avoid to get pushed the default route by PIA server: Go to the client settings and check "Don't pull routes".
Add your devices which should be routed out to PIA to an alias.
Add a firewall pass rule to the LAN interface with source = the alias you've added first, dest = any, go down and open the advanced options, at gateway select the PIA gateway.
Put that rule to the top of the rule set.Consider that this firewall rule directs any traffic from concerned devices to PIA and permits access to the firewall itself. So if the devices should also have access to pfSense, e.g. for DNS, you have to add additional rules for that to the top of the rule set with leaving the gateway blank.
Thank you very much, that seems to work now, but the device is leaking my ISP, what do i need to do to stop this?
I currently have the settings as shown in the pic, but not sure if it is correct
Thanks again!
-
Yes, if the devices use the pfSense DNS and pfSense requests your ISPs DNS you will have a DNS leak.
To avoid that, either configure the VPN devices to access a public DNS, which is routed over the VPN, or configure the pfSense DNS to route requests over the VPN.
On pfSense if you use DNS Resolver you can select interfaces for outgoing requests at "Outgoing Network Interfaces". If you only select your PIA VPN interface here, requests are only sent out over the VPN.BTW: DNS prefers UDP over TCP, but may use bouth. So you should change the rule to TCP/UDP.
-
Thanks again!
Yes i use dns resolver,
how would I change it so only the VPNDevices would get a different dns result? to devices that go straight out?
does my rule look okay apart from needing to be TCP/UDP?
Thanks!!
-
If your pfSense provide DNS service it has to do request to public DNS servers on its part. You are able to select the interface for outgoing requests, but there is no possibility to use this interface only for certain internal devices.
So an option is to configure the "VPN devices" to use a public DNS and go over the VPN. So you can delete the DNS rule.
-
thanks again, how would I change the "VPN Devices" to use a public dns?
I'll delete that dns rule I created to
-
In the devices network settings.
If the devices pull the settings from pfSense DHCP server you can set "DHCP Static Mappings" for each of them with specified DNS servers.
-
thanks!
one of the devices I want to add has a static ip set to it, but it doesn't show in the dhcp table, the other device also has a static ip address and this shows in the dhcp table
does it only work if dhcp is automatic and not manually set?
any ideas?
-
think i have worked it out, I set them to assigned instead of static added the static leases in pfsense, and they seem to be applying okay,
I have two dns servers set to the static leases, but when i run a leak test four are showing? why does this happen?
Thanks again!