Configure PIA (Private Internet Access) VPN on pfSense 2.4.4 only for specific hosts



  • Hi All,

    I am new to pfsense and have some basic network knowledge. I have created a PIA VPN connection and this works fine. But all traffic is routed to this VPN. I prefer the other way around and that all traffic is routed to the normal internet and only selected devices are routed through the VPN.

    What steps do I need to take to make this happen?

    What I have done so far:

    0_1549795406836_6c868953-5a36-4147-b075-01344255cc73-image.png
    NAT Outbound rule

    I tried to make the last rule (nr 3) change the default gateway to WAN_DHCP but when I do this my outlook clients cannot connect anymore to my internal exchange server. I can just ping the device but I think this has to do something with the discover.. protocol. The domain name which I have is external and point back to the ip address of my wan exit point.

    0_1549795595367_759c0f13-f571-4335-b5bf-4b8108a0d69d-image.png

    Rule number 1 and 2, number 1 makes sure that all devices in VPNHosts are routed to the PIA gateway. This works well. The second rule is there to make sure the VPNHosts will be rejected to the WAN net. Which I think works also?? Is this a correct way to do this??

    I have four network cards in it.

    WAN

    LAN normal secure lan

    LAN2 (for IOT devices)

    GUESTLAN (for WIFI Guest)

    What tools do I need to use to check why outlook cannot connect anymore from my client computer (LAN) to my exchange test server (LAN). it must have to do something with the discover host on my domain name.


  • LAYER 8 Global Moderator

    If you want to policy route, you need to make sure you do not pull routes from the vpn connection. They like to make the vpn default... Don't pull routes and then policy route whatever you want out the vpn connection via firewall rules.

    This is almost always the most common issue when users try to policy route - they let the vpn client pull routes.

    And dest WAN net is just that your WAN net, that is NOT the internet..

    Rules are evaluated top down, first rule to trigger wins, no other rules evaluated... If you force all traffic out your vpn, how would you get to your other local segments?



  • Hi John,

    THANKS 👍 , this helps a lot. Everything works great now. Expect, when the VPN client is down the device still goes through the internet. How can I block devices go out to the internet?


  • LAYER 8 Global Moderator

    look for the kill switch threads... There are a lot of them.




Log in to reply