Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [Solved] Cannot access LAN when bypassing VPN

    Scheduled Pinned Locked Moved OpenVPN
    7 Posts 3 Posters 772 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      truetype
      last edited by

      When I am connected to my VPN provider OVPN.com via OpenVPN there is no problem to reach LAN from my main PC.

      But in order to let my main PC bypass VPN sometimes I activate my VPN Bypass floating rule - see attached screenshots of config.
      Though when the bypass is activated I cannot access LAN anymore, not even ping..
      When I traceroute my main PC (192.168.2.5) from OPT2 it respond with 10.128.0.1, but when I tracetroute from WAN or WLAN or anything else I get no respone.
      I have not set any rules for OpenVPN or OPT2.

      I've tried to understand this for 3 days now.  :( Please help me out if you have a clue what's happening!

      See attached files for my configuration, I attached as much as I could think of that could be involved.
      ![VPN interfaces.PNG](/public/imported_attachments/1/VPN interfaces.PNG)
      ![VPN interfaces.PNG_thumb](/public/imported_attachments/1/VPN interfaces.PNG_thumb)
      VPN1.PNG
      VPN1.PNG_thumb
      ![VPN Floating.PNG](/public/imported_attachments/1/VPN Floating.PNG)
      ![VPN Floating.PNG_thumb](/public/imported_attachments/1/VPN Floating.PNG_thumb)
      ![VPN lan rules.PNG](/public/imported_attachments/1/VPN lan rules.PNG)
      ![VPN lan rules.PNG_thumb](/public/imported_attachments/1/VPN lan rules.PNG_thumb)
      ![VPN wlan rules.PNG](/public/imported_attachments/1/VPN wlan rules.PNG)
      ![VPN wlan rules.PNG_thumb](/public/imported_attachments/1/VPN wlan rules.PNG_thumb)
      ![VPN traceroute.PNG](/public/imported_attachments/1/VPN traceroute.PNG)
      ![VPN traceroute.PNG_thumb](/public/imported_attachments/1/VPN traceroute.PNG_thumb)
      ![VPN traceroute2.PNG](/public/imported_attachments/1/VPN traceroute2.PNG)
      ![VPN traceroute2.PNG_thumb](/public/imported_attachments/1/VPN traceroute2.PNG_thumb)

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        Your forcing traffic out your wan, so no your not going to be able to access other networks that route through pfsense..

        Create a rule above where you force traffic out your vpn or wan that allows the traffic you wan to your other lans..

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • T
          truetype
          last edited by

          @johnpoz:

          Your forcing traffic out your wan, so no your not going to be able to access other networks that route through pfsense..

          Create a rule above where you force traffic out your vpn or wan that allows the traffic you wan to your other lans..

          Thank you very much!
          So I created a new floating rule above all with the settings as the screenshot attached below and it works now!
          Though could you please explain since it's not like what you said really, I just solved the problem another way?

          I tried different rules the way you explained. Like: Interface = OPT2, Source=truetype, Destination=LAN net, but with no success.

          ![VPN floating1.PNG](/public/imported_attachments/1/VPN floating1.PNG)
          ![VPN floating1.PNG_thumb](/public/imported_attachments/1/VPN floating1.PNG_thumb)

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            For clarity, I would put that on the WLAN interface and not use a floating rule there.

            Just put a pass rule with no gateway set above the rule that policy routes out OpenVPN.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • T
              truetype
              last edited by

              @Derelict:

              For clarity, I would put that on the WLAN interface and not use a floating rule there.

              Just put a pass rule with no gateway set above the rule that policy routes out OpenVPN.

              When I put it on the WLAN interface is doesn't work for me, I guess that's because floating rules are above all other rules anyhow?

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                It works if it is positioned ABOVE the policy-routing rule in the interface rule set.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • T
                  truetype
                  last edited by

                  @Derelict:

                  It works if it is positioned ABOVE the policy-routing rule in the interface rule set.

                  Forgive me, I guess I mix up the terms…
                  Please see attached screenshot, that is what I thought you meant by putting it on the WLAN interface.

                  But now I made a new floating rule like the 2nd screenshot and it works, I guess that is what you meant is a more neat solution?

                  ![WLAN rules.PNG](/public/imported_attachments/1/WLAN rules.PNG)
                  ![WLAN rules.PNG_thumb](/public/imported_attachments/1/WLAN rules.PNG_thumb)
                  Finale.PNG
                  Finale.PNG_thumb

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.