Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    VPN on VLAN working but disabling LAN traffic

    Scheduled Pinned Locked Moved L2/Switching/VLANs
    10 Posts 2 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mlaustin
      last edited by

      I'm using Mullvad for my VPN provider. I'm having an issue where I can get the VLAN to route through Mullvad, but it kills my main LAN connection. I followed this guide to setting up Mullvad with pfsense https://mullvad.net/en/guides/using-pfsense-mullvad/. Let me discuss the steps I took to get to where I am at and see what is missing.

      1. Created VLAN 10 and gave it a description of IoT
      2. Made a new Interface assignment called IOT and put this VLAN 10 on it
      3. DHCP server is hading out addresses to this subnet so VLAN 10 is working
      4. Created a firewall rule for IOTnet to allow any to any
      5. Devices on VLAN 10 can get out to the Internet
      6. Created an OpenVPN client t Mullvad based on the guide above with the interface set to IOT
      7. Created a new interface assignment called OVPNiot and associated the Mullvad client to it
      8. Per Mullvad's guide, went to NAT, Outbound and switched it to manual.
      9. Copied the rule from the IOT subnet and duplicated it as per their instruction (see attached as result)
      10. Added their recommended DNS servers in the DHCP Server setting of IOT (not my regular lan)
      11. IOT devices are getting Internet
      12. LAN devices are not getting Internet. Funny thing is my stock trading program seems to be connected and receiving data. So perhaps this is a DNS issue.

      What can I do to fix this so that IOT devices are connected to the VPN and my LAN not affected? Also I will need to disable the VPN at times to get through. It seems like disabling the OVPNIOT interface does the job. But how do I get my normal default DNS entries back in DHCP resolver (which is pfsense) for the IOT VLAN?

      1 Reply Last reply Reply Quote 0
      • NogBadTheBadN
        NogBadTheBad
        last edited by NogBadTheBad

        Set openvpn not to pull routes.

        0_1551988262711_Screenshot 2019-03-07 at 19.50.28.png

        Andy

        1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

        NogBadTheBadN 1 Reply Last reply Reply Quote 0
        • NogBadTheBadN
          NogBadTheBad @NogBadTheBad
          last edited by

          Also try Hybrid NAT.

          0_1551988445528_Screenshot 2019-03-07 at 19.53.29.png

          Andy

          1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

          1 Reply Last reply Reply Quote 0
          • M
            mlaustin
            last edited by

            @nogbadthebad said in VPN on VLAN working but disabling LAN traffic:

            Set openvpn not to pull routes.

            0_1551988262711_Screenshot 2019-03-07 at 19.50.28.png

            This causes the VPN connection to not work. It makes my LAN work, but my IOT network does not get the VPN IP. So this does the opposite of what is happening now. I have it set to hybrid, and it seems like no change.

            NogBadTheBadN 1 Reply Last reply Reply Quote 0
            • NogBadTheBadN
              NogBadTheBad @mlaustin
              last edited by

              @mlaustin

              post your IOT firewall rules

              Andy

              1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

              1 Reply Last reply Reply Quote 0
              • M
                mlaustin
                last edited by

                0_1552003782054_Screen Shot 2019-03-07 at 6.05.02 PM.png 0_1552003766954_Screen Shot 2019-03-07 at 6.04.38 PM.png 0_1552003749945_Screen Shot 2019-03-07 at 6.04.03 PM.png 0_1552003729509_Screen Shot 2019-03-07 at 6.03.38 PM.png

                I posted my IOT rulles, my outbound Mullvad NAT, the OpenVPN client config that shows the interface it's on, and my list of interfaces.

                1 Reply Last reply Reply Quote 0
                • NogBadTheBadN
                  NogBadTheBad
                  last edited by NogBadTheBad

                  As I previously mentioned you need to set the OpenVPN connection not to pull routes, without this everything will be routed out the OpenVPN interface, have a look at the routes and you'll see.

                  Set a gateway on the IOT outbound traffic rule to route out the OpenVPN interface.

                  Which is why "Also I will need to disable the VPN at times to get through"

                  Andy

                  1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

                  1 Reply Last reply Reply Quote 0
                  • M
                    mlaustin
                    last edited by

                    I can try that. How do I setup a firewall rule for a gateway? Also, on the openvpn client for mullvad I have IOT as the interface. I’m guessing it should be that instead of WAN correct? Mullvad docs said to set it to WAN?

                    1 Reply Last reply Reply Quote 0
                    • NogBadTheBadN
                      NogBadTheBad
                      last edited by

                      In the advanced options.

                      0_1552119253167_Screenshot 2019-03-09 at 08.12.53.png

                      Andy

                      1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

                      1 Reply Last reply Reply Quote 0
                      • M
                        mlaustin
                        last edited by

                        Thank you. That worked. I just created another rule above the IOTnet to any with this gateway. Then I can disable that rule as needed.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.