Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    LAN Virtual IP as dedicated 'alias' for oVPN WAN connection

    Routing and Multi WAN
    2
    4
    39
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jakes last edited by

      (seemed to have misplaced my pre-netgate account)

      I've set up a hosted VPN provider connection; the connection works well & it's holding pretty stable.

      I only want some of my LAN hosts to use it as upstream pipe, and not reach the internet if the VPN is not up.

      What I'd like to do is use a Virtual IP defined on my LAN to act as the gateway value for desired hosts DHCP configuration.

      I'm somewhat unfamiliar with what I need to do/change to get the desired outcome, but I suspect I may need to set up a 1:1 NAT, tying the outbound oVPN WAN connection to the new LAN Virtual IP gateway address.

      I've set up the connection as documented by the service provider (woks well), but obviously pretty much all the NAT & Rules defined may not be relevant any more, since I don't want all my traffic going that way.

      Am I on the right track here?
      What tweaks do I need to do?

      1 Reply Last reply Reply Quote 0
      • Derelict
        Derelict LAYER 8 Netgate last edited by

        The target gateway address of the packets will not help you. There is no function to mark or specially treat a packet based on the gateway address it was sent to since it is not the source or destination IP address.

        Give the LAN hosts static addresses. Policy route based on the source address. In those rules that set the VPN gateway for those hosts, set the tag to something like NO_WAN_EGRESS.

        Make a floating rule on WAN OUT that rejects all traffic tagged with NO_WAN_EGRESS.

        https://www.infotechwerx.com/blog/Policy-Routing-Certain-Traffic-Through-OpenVPN-Client-Connection

        Chattanooga, Tennessee, USA
        The pfSense Book is free of charge!
        DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • J
          jakes last edited by

          Tagging is an interesting idea, thanks.

          What I had hoped to achieve was to avoid building a OpenWRT or TomatoWRT box dedicated to the task.

          The other option I'm considering is repurposing a spare NIC I have on the box to the task

          1 Reply Last reply Reply Quote 0
          • Derelict
            Derelict LAYER 8 Netgate last edited by

            You have to use the tag because, as that blog describes, traffic heading out WAN has already had outbound NAT applied by the time the outbound floating rule is checked so you lose the ability to match on the hosts' inside IP addresses.

            Chattanooga, Tennessee, USA
            The pfSense Book is free of charge!
            DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • First post
              Last post