Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Bypass VPN Tunnel Interface - Outbound

    Scheduled Pinned Locked Moved OpenVPN
    11 Posts 4 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      DDIC
      last edited by

      Using on SG-1100 and ExVPN client normally.

      I wish to point two devices to the original WAN Gateway. ie bypass VPN for these specific devices.

      I have tried running 2 Gateways and a firewall rule that points the devices to the original WAN Gateway. Cant get out.

      Can this actually be done with one WAN connection?

      1 Reply Last reply Reply Quote 0
      • V
        viragomann
        last edited by

        So you obviously did something wrong.
        Just add an alias the these two IPs, add a firewall rule which allow the upstream traffic from this alias and specify the WAN GW in the advanced options.
        Put that rule to the top of the LAN rule set.

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by

          Most of the guides on the internet for using vpn services are shit.. They want you to route everything through them..

          You will want to make sure you do not pull routes, and use hybrid vs manual outbound nat, and just add the outbound for the vpn interface you create, etc..

          Then yeah its quite easy to policy route what you want out via simple firewall rules and gateway selection in the rules.

          Just remember rules are evaluated as traffic enters the interface from the network, top down, first rule to trigger wins, no other rules evaluated.

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.7.2, 24.11

          D 1 Reply Last reply Reply Quote 0
          • D
            DDIC @johnpoz
            last edited by

            @johnpoz Copy on most guides. I have been using this guide to help me. https://www.techhelpguides.com/2017/06/12/ultimate-pfsense-openvpn-guide/.

            As far as I can tell, the set up of my "split tunnel" seems ok. Have created alias for devices to use VPN GW. I can direct my devices easily from one GW to another WAN vs VPN, and can see that I have closed down all DNS leaks etc of specific devices as tested when using VPN.

            The technical solution that I can't seem to get to work, is to place a domain name exception on the VPN device rule that works.

            I have created an alias for domain destinations I want to redirect to the WAN GW. These are things like Netflix etc.

            I have placed this rule first before the general VPN device rule, but it does not seem to work as I still get proxy errors from Netflix.

            In your reply you mentioned Hybrid NAT. Forgive my English, but are you saying to use it or not to use it?. Currently using manual.

            Appreciate any of your time.

            1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator
              last edited by

              There is zero reason to use manual, hybrid is all you need. Your going to have to post up your rules if you want anyone to look at them... And have you validated your alias tables are correct in diagnostics.

              You understand something like netflix is a CDN.. and the IPs are going to be all over the place and change all the time.

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.7.2, 24.11

              1 Reply Last reply Reply Quote 0
              • D
                DDIC
                last edited by

                I used Manual as that's what the VPN provider recommended for their install. But I take your point.

                Aware of CDN, but pfsense resolves all FQDN's in a lookup when the alias is used does it not?

                All Aliases and rules are good. Have swapped GW's to test DNS etc.

                I finally had success about an hour ago. Seems that the VPN provider's assurance of a particular location was not as accurate as it should have been. That cost me and them a lot of time. ;(

                So at this stage I would say the router and its config are ok. Performs and tests as it should. Thanks to your earlier advice.

                Ill call this thread closed. Thanks for your time.

                bmeeksB 1 Reply Last reply Reply Quote 0
                • bmeeksB
                  bmeeks @DDIC
                  last edited by bmeeks

                  @DDIC said in Bypass VPN Tunnel Interface - Outbound:

                  Aware of CDN, but pfsense resolves all FQDN's in a lookup when the alias is used does it not?

                  This is not necessarily 100% true. CDNs frequently alter IP addresses fairly rapidly, but the filterdns daemon that looks up FQDN aliases only updates every 5 minutes. Also it's entirely possible that at the precise moment when your client asks for the CDN IP that the IP will not match what the filterdns daemon received even just a few seconds earlier. All depends on the particulars of a given CDN setup with regards to localizing DNS lookups. This is also highly influenced by your choice of DNS configuration. For example, if your clients use something other than the exact same DNS that filterdns and the firewall is using, the IP lookups for a CDN could most definitely differ. Not saying it will never work, but using CDNs in a FQDN alias is not 100% foolproof.

                  D 1 Reply Last reply Reply Quote 0
                  • D
                    DDIC @bmeeks
                    last edited by

                    Is that update frequency tuneable?

                    bmeeksB 1 Reply Last reply Reply Quote 0
                    • bmeeksB
                      bmeeks @DDIC
                      last edited by

                      @DDIC said in Bypass VPN Tunnel Interface - Outbound:

                      Is that update frequency tuneable?

                      Not to my knowledge.

                      1 Reply Last reply Reply Quote 0
                      • johnpozJ
                        johnpoz LAYER 8 Global Moderator
                        last edited by

                        Its not a simple edit in the gui now, but anything can be changed/edited if you work at it hard enough... Not going to solve you problem anyway.

                        First thing you need to validate is the IPs you think should be in the table are actually in the table.. Maybe they are not even updating... Validation is step 1.

                        Step 2 would be to see if your actually going down the vpn or not... From that guide your trying do do something with netflix? They stomp on vpn access all the time.. That is a wack-a-mole game your not going to win.

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                        1 Reply Last reply Reply Quote 0
                        • D
                          DDIC
                          last edited by

                          Been stable for 24 hrs now. All working as it should with VPN bypass Aliases in place. Should it stop again, I will definitely look at the IP's for the CDN and refresh them to see if that's it. Had not thought of that. Happy to post tables etc for others if it would be of help.

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.