Bypass VPN Tunnel Interface - Outbound

DDIC

Using on SG-1100 and ExVPN client normally.

I wish to point two devices to the original WAN Gateway. ie bypass VPN for these specific devices.

I have tried running 2 Gateways and a firewall rule that points the devices to the original WAN Gateway. Cant get out.

Can this actually be done with one WAN connection?

viragomann

So you obviously did something wrong.
Just add an alias the these two IPs, add a firewall rule which allow the upstream traffic from this alias and specify the WAN GW in the advanced options.
Put that rule to the top of the LAN rule set.

johnpoz

Most of the guides on the internet for using vpn services are shit.. They want you to route everything through them..

You will want to make sure you do not pull routes, and use hybrid vs manual outbound nat, and just add the outbound for the vpn interface you create, etc..

Then yeah its quite easy to policy route what you want out via simple firewall rules and gateway selection in the rules.

Just remember rules are evaluated as traffic enters the interface from the network, top down, first rule to trigger wins, no other rules evaluated.

DDIC

@johnpoz Copy on most guides. I have been using this guide to help me. https://www.techhelpguides.com/2017/06/12/ultimate-pfsense-openvpn-guide/.

As far as I can tell, the set up of my "split tunnel" seems ok. Have created alias for devices to use VPN GW. I can direct my devices easily from one GW to another WAN vs VPN, and can see that I have closed down all DNS leaks etc of specific devices as tested when using VPN.

The technical solution that I can't seem to get to work, is to place a domain name exception on the VPN device rule that works.

I have created an alias for domain destinations I want to redirect to the WAN GW. These are things like Netflix etc.

I have placed this rule first before the general VPN device rule, but it does not seem to work as I still get proxy errors from Netflix.

In your reply you mentioned Hybrid NAT. Forgive my English, but are you saying to use it or not to use it?. Currently using manual.

Appreciate any of your time.

johnpoz

There is zero reason to use manual, hybrid is all you need. Your going to have to post up your rules if you want anyone to look at them... And have you validated your alias tables are correct in diagnostics.

You understand something like netflix is a CDN.. and the IPs are going to be all over the place and change all the time.

DDIC

I used Manual as that's what the VPN provider recommended for their install. But I take your point.

Aware of CDN, but pfsense resolves all FQDN's in a lookup when the alias is used does it not?

All Aliases and rules are good. Have swapped GW's to test DNS etc.

I finally had success about an hour ago. Seems that the VPN provider's assurance of a particular location was not as accurate as it should have been. That cost me and them a lot of time. ;(

So at this stage I would say the router and its config are ok. Performs and tests as it should. Thanks to your earlier advice.

Ill call this thread closed. Thanks for your time.

bmeeks

@DDIC said in Bypass VPN Tunnel Interface - Outbound:

Aware of CDN, but pfsense resolves all FQDN's in a lookup when the alias is used does it not?

This is not necessarily 100% true. CDNs frequently alter IP addresses fairly rapidly, but the filterdns daemon that looks up FQDN aliases only updates every 5 minutes. Also it's entirely possible that at the precise moment when your client asks for the CDN IP that the IP will not match what the filterdns daemon received even just a few seconds earlier. All depends on the particulars of a given CDN setup with regards to localizing DNS lookups. This is also highly influenced by your choice of DNS configuration. For example, if your clients use something other than the exact same DNS that filterdns and the firewall is using, the IP lookups for a CDN could most definitely differ. Not saying it will never work, but using CDNs in a FQDN alias is not 100% foolproof.

DDIC

Is that update frequency tuneable?

bmeeks

@DDIC said in Bypass VPN Tunnel Interface - Outbound:

Is that update frequency tuneable?

Not to my knowledge.

johnpoz

Its not a simple edit in the gui now, but anything can be changed/edited if you work at it hard enough... Not going to solve you problem anyway.

First thing you need to validate is the IPs you think should be in the table are actually in the table.. Maybe they are not even updating... Validation is step 1.

Step 2 would be to see if your actually going down the vpn or not... From that guide your trying do do something with netflix? They stomp on vpn access all the time.. That is a wack-a-mole game your not going to win.

DDIC

Been stable for 24 hrs now. All working as it should with VPN bypass Aliases in place. Should it stop again, I will definitely look at the IP's for the CDN and refresh them to see if that's it. Had not thought of that. Happy to post tables etc for others if it would be of help.