Certain websites won`t work when VPN is active



  • Hello,

    first of all i would like to say that i am grateful for all the hard work people put into pfsense and that we as a community are able to benefit from it and hopefully contribute a little bit as well.
    Over the years pfsense never let me down and if there were problems, it was mostly due to my misunderstanding as it is probably the case now too.

    So my problem is:
    I have set up a VPN (client) connection, which bascially works fine and eventually i wanna only route certain traffic from certain clients through the VPN tunnel. Whats interesting is, that as soon as i enable the VPN connection, clients that are not using the VPN can`t access certain websites any longer, (like amazon.com and netflix.com to name a few) my browser tried to resolve the website and it ends with a timeout error.
    When i disable the VPN client connection, reset the states and wait a few minutes, i can access those websites again without any issues.

    I tried to work it out on my own but i am stuck at the moment and can`t figure out what the problem really is.
    I would appreciate any help you might be able to provide.

    Thank you in advance.
    Dennis



  • @FreeYourMind said in Certain websites won`t work when VPN is active:

    I have set up a VPN (client) connection, which bascially works fine and eventually i wanna only route certain traffic from certain clients through the VPN tunnel. Whats interesting is, that as soon as i enable the VPN connection, clients that are not using the VPN can`t access certain websites any longer, (like amazon.com and netflix.com to name a few) my browser tried to resolve the website and it ends with a timeout error.
    When i disable the VPN client connection, reset the states and wait a few minutes, i can access those websites again without any issues.

    (Very !) Know issue.
    Your situation can be explained with very few words : setup is not as you want it (edit : so : don't stop the setup process : finsih it).
    What needs to be done :
    You need to have a VPN access.
    The VPN client has to be set up on pfSense.
    Change "outgoing routes" so that all traffic flows out using the VPN - and not the LAN.
    Then, "polish" your routing settings so that some devices go out over LAN - or "some" destinations" ** , and others go over VPN. You decide, you are the boss.

    ** Netflix, won't work if you contact them over a VPN ... they don't want that (they actually blacklist the IP's of nearly all VPN suppliers).

    In more detail :

    @FreeYourMind said in Certain websites won`t work when VPN is active:

    clients that are not using the VPN can`t access certain websites any longer, (like amazon.com and netflix.com to name a few)

    this shows a broken setup. It's always the other way around. Site like Netflix will not stream when yo contact them over the VPN. Do you work when you use the direct WAN connection of your ISP.



  • @Gertjan

    thanks for your reply even though i don`t exactly understand what you re suggesting.
    Let me try to explain it a little bit more detailed:

    The VPN client connection (NordVPN) was setup properly in pfsense and according to the guide NordVPN provided.
    ( https://nordvpn.com/de/tutorials/pfsense/pfsense-openvpn/ )

    I ve setup the following nameservers under System -> General setup:

    Google DNS Primary -> WAN Gateway (IPv4)
    Google DNS Secondary -> WAN Gateway (IPv4)

    NordVPN DNS Primary -> NordVPN Gateway (IPv4)
    NordVPN DNS Secondary -> NordVPN Gateway (IPv4)

    To determine which traffic goes where i am using policy routing in pfsense, so for example:
    All internet related firewall rules originating from LAN_net that shouldn`t use the VPN tunnel
    have their gateway field set to "WAN Gateway".

    Internet related traffic originating from LAN2_net should go through the VPN tunnel and therefor has its gateway setting in the firewall rule set to "NordVPN Gateway"

    OutboundNAT is set accordingly of course.

    I can confirm that the proper traffic routing works cause the NordVPN site indicated if you re visiting the page through their VPN and are considered "protected" or if you are not and are considered "unprotected"

    I am aware that for clients that use a VPN connection for webistes like Netflix and stuff, that problems can arise but like i said earlier i also cannot visit sites like amazon and netflix for clients which traffic isn`t routed through the VPN tunnel.



  • @FreeYourMind said in Certain websites won`t work when VPN is active:

    The VPN client connection (NordVPN) was setup properly in pfsense and according to the guide NordVPN provided.
    ( https://nordvpn.com/de/tutorials/pfsense/pfsense-openvpn/ )

    Then it is not properly setup for policy routing. RTFM: https://docs.netgate.com/pfsense/en/latest/book/openvpn/openvpn-configuration-options.html#don-t-pull-routes



  • Thanks a bunch, that was exactly what i was missing.
    Now that you mention it, i feel stupid for having overlooked it.
    I should have checked the routing table first i guess, then it should have been obvious.

    Again, thank you very much.


Log in to reply