Route one IP address outside the VPN



  • Hi all, I'd like one single IP from remote side of a VPN being accessed from outside the VPN, how can I do that?
    I mean, one remote IP address can be accessed from inside the VPN and from WAN both. I'd like, to access this only IP, go throgh the WAN and it not being routed to the VPN.

    Using a lan client outside the scope of the vpn, I already can ping the address by the wan side, but if I use a client within vpn scope, ping goes troughthe vpn.
    Actual setup is:

    • all my lan subnet addresses in 192.168.1.0/28 can access any address 1.2.3.0/18 through the vpn correctly
    • the IP 1.2.3.4 can be accessed by wan too
    • if I use a client with ip 192.168.1.112 I go to 1.2.3.4 through the WAN (no vpn involved)
    • I'd like my clients within 192.168.1.0/28 access 1.2.3.4 through WAN and not vpn.
      Can someone help me understand what the correct setup I have to do? TIA!

  • Rebel Alliance Global Moderator

    use policy routing to send your client either through the vpn or out your normal gateway for specific destinations.



  • I added two floating rules:
    IF: lan, source: any, direction: out
    destination: 1.2.3.4
    gateway: changed from default to gw_wan
    and
    IF: WAN, source: 1.2.3.4, direction: in
    destination: any
    gateway: gw_wan
    but this set of rules doesn't give the result I expect. I'm sure I'm missing something.

    Edit: I have only one gateway. I guess changing from default to gw_wan doesn't change nothing.


  • Rebel Alliance Global Moderator

    Don't; put it on filter out in floating.. Its a little late for that... You should put the rule on the interface the traffic enters pfsense on.

    Keep in mind that rules are evaluated top down, first rule to trigger wins, no other rules are evaluated



  • More specifically, it's not possible to redirect traffic that is leaving via an interface so any floating rule acting on outgoing traffic (from the point of view of an interface) can't change the routing decisions that have already been made. This is a FreeBSD specific limitation in the PF packet filter, it doesn't exist in OpenBSD's version of PF.