LAN Virtual IP as dedicated 'alias' for oVPN WAN connection



  • (seemed to have misplaced my pre-netgate account)

    I've set up a hosted VPN provider connection; the connection works well & it's holding pretty stable.

    I only want some of my LAN hosts to use it as upstream pipe, and not reach the internet if the VPN is not up.

    What I'd like to do is use a Virtual IP defined on my LAN to act as the gateway value for desired hosts DHCP configuration.

    I'm somewhat unfamiliar with what I need to do/change to get the desired outcome, but I suspect I may need to set up a 1:1 NAT, tying the outbound oVPN WAN connection to the new LAN Virtual IP gateway address.

    I've set up the connection as documented by the service provider (woks well), but obviously pretty much all the NAT & Rules defined may not be relevant any more, since I don't want all my traffic going that way.

    Am I on the right track here?
    What tweaks do I need to do?


  • LAYER 8 Netgate

    The target gateway address of the packets will not help you. There is no function to mark or specially treat a packet based on the gateway address it was sent to since it is not the source or destination IP address.

    Give the LAN hosts static addresses. Policy route based on the source address. In those rules that set the VPN gateway for those hosts, set the tag to something like NO_WAN_EGRESS.

    Make a floating rule on WAN OUT that rejects all traffic tagged with NO_WAN_EGRESS.

    https://www.infotechwerx.com/blog/Policy-Routing-Certain-Traffic-Through-OpenVPN-Client-Connection



  • Tagging is an interesting idea, thanks.

    What I had hoped to achieve was to avoid building a OpenWRT or TomatoWRT box dedicated to the task.

    The other option I'm considering is repurposing a spare NIC I have on the box to the task


  • LAYER 8 Netgate

    You have to use the tag because, as that blog describes, traffic heading out WAN has already had outbound NAT applied by the time the outbound floating rule is checked so you lose the ability to match on the hosts' inside IP addresses.


Log in to reply