Route one IP address outside the VPN
Bly last edited by
Hi all, I'd like one single IP from remote side of a VPN being accessed from outside the VPN, how can I do that?
I mean, one remote IP address can be accessed from inside the VPN and from WAN both. I'd like, to access this only IP, go throgh the WAN and it not being routed to the VPN.
Using a lan client outside the scope of the vpn, I already can ping the address by the wan side, but if I use a client within vpn scope, ping goes troughthe vpn.
Actual setup is:
- all my lan subnet addresses in 192.168.1.0/28 can access any address 18.104.22.168/18 through the vpn correctly
- the IP 22.214.171.124 can be accessed by wan too
- if I use a client with ip 192.168.1.112 I go to 126.96.36.199 through the WAN (no vpn involved)
- I'd like my clients within 192.168.1.0/28 access 188.8.131.52 through WAN and not vpn.
Can someone help me understand what the correct setup I have to do? TIA!
use policy routing to send your client either through the vpn or out your normal gateway for specific destinations.
Bly last edited by Bly
I added two floating rules:
IF: lan, source: any, direction: out
gateway: changed from default to gw_wan
IF: WAN, source: 184.108.40.206, direction: in
but this set of rules doesn't give the result I expect. I'm sure I'm missing something.
Edit: I have only one gateway. I guess changing from default to gw_wan doesn't change nothing.
Don't; put it on filter out in floating.. Its a little late for that... You should put the rule on the interface the traffic enters pfsense on.
Keep in mind that rules are evaluated top down, first rule to trigger wins, no other rules are evaluated
kpa last edited by
More specifically, it's not possible to redirect traffic that is leaving via an interface so any floating rule acting on outgoing traffic (from the point of view of an interface) can't change the routing decisions that have already been made. This is a FreeBSD specific limitation in the PF packet filter, it doesn't exist in OpenBSD's version of PF.