Can connect to OpenVPN Server but loose access
-
If you want to policy route clients on your lan side networks to use vpn or normal gateway you would do that on the lan side rules, NOT on the wan rule allowing access to your vpn server from the outside world
-
ah i not sure.. what i need?
im just the only user its my home network.. i wanna be able to connect when im not at home to my pfsense to access my local network
and i figured i need to set it to wanppoe as then it wouldnt use nordvpn..
as i figured the default gateway now is the nordvpn as thats how its set up on the lan side.. but ill change it back to *i figured since you can set which gateway id set it to the one that bypass's the nordvpn service... thanks for the help so far
i guess the only time ud change that is if you had 2 wan ports maybe?
-
ok i set it back to * what else do i check as it still doesnt work
-
here my lan rules
-
Well your forcing all your lan net clients out your nordvpn connection, so how would they get to your vpn clients..
You need a rule above that that lets dest to your tunnel network (your vpn clients IPs) to use normal routing so pfsense can send the traffic back out the vpn connection.
-
well how i thought it was. was the computers on the local network when they want internet they would be forced to use the vpn service
but if im away from home when i access my network it bypassthe vpn service
so how would that rule look like im guessing it goes in the LAN section just above the nordvvpn canada lan and under the xbox bypass vpn
always learning i appreciate the help so far
-
would it look like this
source is coming from the wan address to the lan ips -
What is you want exactly? If you want to get to your lan clients then you would need a rule above where you force them out your nordvpn to get to your tunnel network.
Also that 3rd rule makes zero sense as well.. If your blocking 192.168.0.5 from talking to your wan address - why would it have a gateway??
I think you need to take a look at the pfsense book that is available about policy routing.
-
NO it would not look like that... When would wan address ever be a source into your lan interface.. I think there is a disconnect on how rules are evaluated..
-
i want all my computers on my home network to go out the NordVPN when im at home
when im say at a friends house i wanna connect to my home network access all my computers and not go through the NordVPN by pass it.. as that be double vpn and then my internet be even slower would it not???
the 3rd line is for my downloading computer.. so when the NordVPN stops working that downloading computer can not use regular internet.. it forces that it can not use the wan_ppoe gateway ever... as if you disable nordvpn client on pfsense the downloading computer keeps downloading.. and i wanted a kill switch so if nordvpn goes down so does the downloading computer
well then i not sure how to do it then i need pictures
welll if the wan address source is never to be used under lan why is it an option
i thought its so for any WaN incomming WAN side connections it goes directly to the LAN address's
then i lost
-
Well your 3rd rule doesn't do what you think it does... downloading stuff from the internet is not dest of your wan address.. All that is whatever your wan address is.
What is your tunnel network? If its 10.0.8/24 for example then create a rule above your nord policy route that says if dest 10.0.8 NO gateway set.
When you vpn in, if you have your vpn clients set to use vpn ad def gateway - ie route all traffic then it would use your normal connection and not your nordvpn. As long as your actually policy routing that and not pulling routes from the connection so your default route is nord..
-
well it seemed to work.. if it doesnt work then how you make the kill switch so if vpn service is down no interenet traffic may goto that computer..
and my tunnel network is 192.168.0.100/24 and my local is 192.168.0.0/24
and i have set the do not pull routes under the nordvpn
-
Sorry but if something is working how you want, its not because of that rule.. Sorry but that rules says block if you source is 192.168.0.5 as the IP and its dest is your wan address.. Lets say that is 1.2.3.4 then block it.. It has ZERO use or need of a gateway since its a block rule to start with.
And going to say 4.5.6.7 some public IP on the internet is NOT your wan address of 1.2.3.4 so that rule would not even trigger..
What I suggest you do is read the book on policy routing and how rules are evaluated on the firewall..
Rules are evaluated top down, first rule to trigger wins, no other rules are evaluated. There is plenty of info on a "kill switch" Derelict I believe did a whole long how to on it somewhere.. There might even be a hangout on it? Which are now available on youtube vs those hey bring traffic to my site because I have pfsense in my subject..
-
im sure im done this wrong.. and not trying to get you mad.. just learning as i go
and ok ill check out that stuffreason i put the block on is.. its below the NordVPN and doesnt that mean
yes when NordVPN service is working it does that rule.. but if the NordVPN is offline it would skip that rule right ..or does it still keep that rule... as thats the reason i put that block below nordvpn incase the service would shut off then the rule gets skipped and goes to allow it..
because the last line is your Default Lan so when the NordVPN goes down.. i still can use the internet im just not behind it anymore...so thats how i thought it worked
NordVPN up -----> all computers are behind vpn
NordVPN goes down -----> blocks the 1 computer... ---->runs last rule that allows rest of the computers to access the internet...thought thats how those rules worked i have set....
as for the block of the tunnell here is the image but im sure i did it wrong.. but im trying and ill google the info you mentioned thanks so far
