Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Configure PIA (Private Internet Access) VPN on pfSense 2.4.4 only for specific hosts

    OpenVPN
    2
    5
    1.4k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      marcelt
      last edited by

      Hi All,

      I am new to pfsense and have some basic network knowledge. I have created a PIA VPN connection and this works fine. But all traffic is routed to this VPN. I prefer the other way around and that all traffic is routed to the normal internet and only selected devices are routed through the VPN.

      What steps do I need to take to make this happen?

      What I have done so far:

      0_1549795406836_6c868953-5a36-4147-b075-01344255cc73-image.png
      NAT Outbound rule

      I tried to make the last rule (nr 3) change the default gateway to WAN_DHCP but when I do this my outlook clients cannot connect anymore to my internal exchange server. I can just ping the device but I think this has to do something with the discover.. protocol. The domain name which I have is external and point back to the ip address of my wan exit point.

      0_1549795595367_759c0f13-f571-4335-b5bf-4b8108a0d69d-image.png

      Rule number 1 and 2, number 1 makes sure that all devices in VPNHosts are routed to the PIA gateway. This works well. The second rule is there to make sure the VPNHosts will be rejected to the WAN net. Which I think works also?? Is this a correct way to do this??

      I have four network cards in it.

      WAN

      LAN normal secure lan

      LAN2 (for IOT devices)

      GUESTLAN (for WIFI Guest)

      What tools do I need to use to check why outlook cannot connect anymore from my client computer (LAN) to my exchange test server (LAN). it must have to do something with the discover host on my domain name.

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by johnpoz

        If you want to policy route, you need to make sure you do not pull routes from the vpn connection. They like to make the vpn default... Don't pull routes and then policy route whatever you want out the vpn connection via firewall rules.

        This is almost always the most common issue when users try to policy route - they let the vpn client pull routes.

        And dest WAN net is just that your WAN net, that is NOT the internet..

        Rules are evaluated top down, first rule to trigger wins, no other rules evaluated... If you force all traffic out your vpn, how would you get to your other local segments?

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

        1 Reply Last reply Reply Quote 0
        • M
          marcelt
          last edited by

          Hi John,

          THANKS 👍 , this helps a lot. Everything works great now. Expect, when the VPN client is down the device still goes through the internet. How can I block devices go out to the internet?

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            look for the kill switch threads... There are a lot of them.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.7.2, 24.11

            1 Reply Last reply Reply Quote 0
            • M
              marcelt
              last edited by

              @johnpoz said in Configure PIA (Private Internet Access) VPN on pfSense 2.4.4 only for specific hosts:

              kill switch
              Thanks!

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.