NordVPN Client only for specific hosts

  • When you say "hosts in the VPN", do you mean hosts in the LAN for which you have the gateway set to your VPN using policy routing firewall rules? As you say, the DMZ and your LAN are two separate networks, and the block rule you made explicitly prohibits any hosts on the DMZ from communicating with hosts on the LAN. Typically, this is what you would want, I believe. Are you saying that it's not what you want? Or that you want hosts on the DMZ to also be routed through your VPN? I'm still not clear on the goal, but if the firewall rules are configured to allow DMZ hosts to communicate with LAN hosts, then I don't believe it would be a DMZ at all, right?

  • Yes, I want to be able to access all my subnet's (DMZ, ISP subnet ) with the hosts (in Lan interface) who have the gateway NordVPN
    For now, the hosts with the gateway NordVPN only have access to there subnet (

    The hosts in the DMZ will not have the NordVPN gateway and I don't want them to have access to anything else then WAN interface

    thanks for your help

  • These resources may be useful:

    However, I believe that allowing access to the DMZ from the LAN is breaking the whole idea of the DMZ. As I said, I've never configured one myself, but I think generally the whole purpose is to have complete isolation from the LAN.

  • But the DMZ is isolated. The DMZ only have access to WAN, nothing more than that.

    I have access to DMZ from LAN, for example if I want to update my website, etc...

  • LAYER 8 Global Moderator

    @thenarc said in NordVPN Client only for specific hosts:

    However, I believe that allowing access to the DMZ from the LAN is breaking the whole idea of the DMZ.

    NO... So you allow the whole public internet to access a DMZ... But you think accessing it from the LAN would be bad?

    You can even allow access from DMZ into lan with specific pinholes and understanding, etc. Its best to not do that - but its done all the time.

    All of the guides from these sites want any and all traffic to go to them... This is NOT what normal people would want... So you DO NOT PULL routes, and then just policy route out the vpn what you want to use the vpn.

  • Okay, and you're saying your LAN-to-DMZ access is already working, or that's what you're trying to get working? Because if it's not working, I think you'll want to add a firewall rule on your LAN interface allowing access to the DMZ subnet via the default gateway.

  • LAYER 8 Global Moderator

    @thenarc said in NordVPN Client only for specific hosts:

    DMZ subnet via the default gateway.

    No you would not call out a gateway - this is where you run into problems.. You just allow the traffic you want and do not call out a gateway - since now your policy routing, and you wouldn't be going out your wan or vpn to get to another segment off pfsense.

    You just allow the rule above where you force out traffic via a policy route "setting gateway" in the rule.

    Rules are evaluated top down, first rule to trigger wins, no other rules are evaluated.

  • My LAN to DMZ is working, but only with hosts without the NordVPN gateway.

    I wanted to know if it's possible to connect to others subnets (DMZ, ISP modem subnet) with hosta who have NordVPN gateway.

  • @johnpoz You're correct, but in my defense the terminology on the firewall rule config is confusing:
    "Leave as 'default' to use the system routing table. Or choose a gateway to utilize policy based routing."

    So you set the Gateway setting to Default, but that doesn't mean it uses the default gateway.

  • @luckyzor You need to create a LAN firewall rule above your existing rule that routes hosts through the NordVPN gateway. Per johnpoz's post, that rule should have the source set to any (assuming you want any LAN host to be able to access the DMZ), the destination set to the DMZ subnet, and the Gateway setting left at Default.

  • So only have to pull down the nordvpn rule for that... If I'm understanding well.

  • @luckyzor You mean you have an existing LAN-to-DMZ allow rule but it's currently below your NordVPN rule? If so, then yes, simply re-ordering them may be all you need. If that doesn't work, post a screen shot of your LAN firewall rules.

  • I have this for now
    alt text

  • @luckyzor Okay so add a new rule at the top that looks like the "Default allow LAN to any rule" but instead of the Destination being set to any (*), set it to "DMZ Address", or more likely "OPT1 Address", whatever corresponds to your DMZ interface. I'd probably also move it below the Anti-Lockout Rule, but that's just for aesthetics; since they'll have mutually exclusive destinations they can't both match the same traffic anyway.

  • LAYER 8 Global Moderator

    @thenarc said in NordVPN Client only for specific hosts:

    So you set the Gateway setting to Default, but that doesn't mean it uses the default gateway.

    Huh? You leave the gateway at default - ie you don't touch it and then it uses routing.. Maybe its just me doing this stuff for 30+ years and using pfsense for 10 some years. But its pretty freaking clear..

    Here is what I will say - pretty much every guide I have seen out there for all these BS vpn services is either just WRONG or not how you should be doing it... I have yet to see one that was good or actually went into the detail that should be setup. But then again they are catering to the people that would use them in the first place.. So they have to want to go over the most basic info - click this and you will use us sort of setups.

    What I would suggest is understand how it works before attempting to route traffic out a vpn vs just clicking buttons on some "guide" you found from 3 versions back, etc.

  • LAYER 8 Netgate

    This guy knows what he is talking about 😉 :

    But even he hasn't found the time to update it to a current pfSense version. Still relevant though.

  • @johnpoz All I mean is that from this:
    It's not intuitively obvious to me whether "Default" means "use the default gateway." But your point about not needing to touch that setting at all is of course dead on.

    I enjoy contributing what I can to the forums, and I do my best not to misrepresent my level of knowledge or confidence. I never mind being corrected, and am willing to admit when I'm wrong. I've received and appreciated valuable assistance from you in the past, and I believe I have always deferred to your expertise. But sometimes the tone of responses is discouraging. If there's a concern that forum members below a certain level of expertise are routinely providing dangerous or misleading information, I can respect that. I can even accept if that's an opinion held of me, in which case I'll gladly stop attempting to provide answers and use the forums only when I have questions of my own. But a gentle correction suffices. I admittedly know less than you and many others on the forum, and enjoy learning more, but enthusiasm wanes when I'm made to feel stupid for trying to help others. That said, I may be more sensitive than others in that respect. And I pledge to try to better qualify any advice I give in the future with my relative level of confidence in its accuracy, or to not comment at all if my confidence is not relatively high. I promise that I don't want to give people bad advice just as much as you don't want me to give people bad advice.

  • LAYER 8 Netgate

    It says it right there. use the system routing table

  • @derelict Yeah so basically, if you select anything other than "Default" in that drop-down, you're overriding the system routing table and saying "use only this one specific gateway (or gateway group) that I specify" (i.e. policy routing), right? And when you select a default gateway (in System > Routing), you're selecting the gateway used for the default route in the system routing table. Just trying to get my terminology straight.

  • LAYER 8 Netgate