1 firewall rule works the other dont

  • Hi all, I'll start off my saying I'm completely new to pfsense and please bear with me if I dont explain things properly or understand your help straight away.

    So setup is a pfsense box connected to wan, then an rt88u connected in AP mode. I have a simple setup compared to most and things work well except my firewall rules.

    In pfsense, I've set static ips for all of my devices, followed the VPN.ac guide and have everything going through the vpn which is what I want, however there are 3 devices I'd like to go through my ISP directly (2 ps4s and nvidia shield)

    So I've set up an out bound firewall rule for those 3 ips and changed gateway to wan (my ISPs ip) and put them above the rule that directs everything through the vpn

    First rule (first ps4) works, as in it skips the vpn so great! I then copy the rule and just change the ip to reflect the other 2 devices and bam those devices can no longer get internet access or are really really slow.

    I'm ready to lose my hair as I've been following all guides and everything I read says I've done it correctly and they should just work but only 1 of the 3 does

    All ip's are similar 192.168.1.xxx then 192.168.1.yyy

    Hopefully ive covered everything and any help will be greatly appreciated

    Edit: I've cleared states and also rebooted pfsense aa well with no luck

  • here it is, yes i know the rules are disabled at the moment, because when they are enabled i cant use the devices

  • Delete the Gateway entry in the rules and make it '*' except for the VPN.

    Edit: Do you want to route all IPv4 traffic (except for the 3 hosts given) through your VPN?

  • Hello @flyer123!
    Could you please inform the version of your pfSense?
    If it's 2.3 or lower, I've faced a similar situation when I used the rule copy feature. The "model" rule worked but the rest did not.
    So I deleted the rules created with the copy feature, created another rules from scratch, and everything worked.
    Could you please try this and give feedback?
    Good luck!

  • Pfsense sense version is 2.4.3 p1. I've also tried creating the rules from scratch

  • @jahonix yes that's correct, everything through vpn except those 3

    What gateway rule? Can you be a bit more specific, sorry

  • LAYER 8 Netgate

    Setting the gateway should be required for one or the other scenario:

    If you do not check Don't Pull Routes in the OpenVPN client configuration, you will probably get two routes that cover all traffic and are more specific than the default route so all traffic will use the VPN instead of the default gateway.

    In that case, you would need to policy route traffic out WAN_DHCP if you did not want to use the VPN.

    If you do check Don't Pull Routes in the OpenVPN client configuration, you will not get the two /1 routes from them and you will have to policy route traffic you want to use the VPN out VPN_AC. Everything else can use the default gateway.

    That said, what you have should work. I would look at differences in the configuration of the hosts you are trying to send out WAN. Paying particular attention to DNS.

    When you enable those rules and try to use one of those hosts, what, exactly do they do? All you gave was "do not get internet access." What actually fails?

  • Thank you for your reply, I'll read it properly when I'm at home infront of my network and try to understand what your saying.

    So when those rules are applied, one of the ps4s fails on nat and downloads slow to a crawl (effecting online gaming and if I need to download an update etc) the other being a nvidia shield which is where I watch my netflix, same thing takes forever to buffer or play. Without the vpn I get hdr and full speed from my provider 100 megabit

    Also I haven't really configured anything on the devices, they are all on ethernet and in pfsense I've just set static ips

  • @derelict thank you for your help, ive gone through the 2 devices and set the DNS servers to the ones used in pfsense and now they work.

    not sure why i had to do it this way while the 1st device just worked on its own.

    anywho its setup and working the way i want it, so thank you to everyone whos tried to help

Log in to reply