Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Bypass VPN Tunnel Interface - Outbound

    Scheduled Pinned Locked Moved OpenVPN
    11 Posts 4 Posters 1.8k Views 4 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V Offline
      viragomann
      last edited by

      So you obviously did something wrong.
      Just add an alias the these two IPs, add a firewall rule which allow the upstream traffic from this alias and specify the WAN GW in the advanced options.
      Put that rule to the top of the LAN rule set.

      1 Reply Last reply Reply Quote 0
      • johnpozJ Online
        johnpoz LAYER 8 Global Moderator
        last edited by

        Most of the guides on the internet for using vpn services are shit.. They want you to route everything through them..

        You will want to make sure you do not pull routes, and use hybrid vs manual outbound nat, and just add the outbound for the vpn interface you create, etc..

        Then yeah its quite easy to policy route what you want out via simple firewall rules and gateway selection in the rules.

        Just remember rules are evaluated as traffic enters the interface from the network, top down, first rule to trigger wins, no other rules evaluated.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

        D 1 Reply Last reply Reply Quote 0
        • D Offline
          DDIC @johnpoz
          last edited by

          @johnpoz Copy on most guides. I have been using this guide to help me. https://www.techhelpguides.com/2017/06/12/ultimate-pfsense-openvpn-guide/.

          As far as I can tell, the set up of my "split tunnel" seems ok. Have created alias for devices to use VPN GW. I can direct my devices easily from one GW to another WAN vs VPN, and can see that I have closed down all DNS leaks etc of specific devices as tested when using VPN.

          The technical solution that I can't seem to get to work, is to place a domain name exception on the VPN device rule that works.

          I have created an alias for domain destinations I want to redirect to the WAN GW. These are things like Netflix etc.

          I have placed this rule first before the general VPN device rule, but it does not seem to work as I still get proxy errors from Netflix.

          In your reply you mentioned Hybrid NAT. Forgive my English, but are you saying to use it or not to use it?. Currently using manual.

          Appreciate any of your time.

          1 Reply Last reply Reply Quote 0
          • johnpozJ Online
            johnpoz LAYER 8 Global Moderator
            last edited by

            There is zero reason to use manual, hybrid is all you need. Your going to have to post up your rules if you want anyone to look at them... And have you validated your alias tables are correct in diagnostics.

            You understand something like netflix is a CDN.. and the IPs are going to be all over the place and change all the time.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

            1 Reply Last reply Reply Quote 0
            • D Offline
              DDIC
              last edited by

              I used Manual as that's what the VPN provider recommended for their install. But I take your point.

              Aware of CDN, but pfsense resolves all FQDN's in a lookup when the alias is used does it not?

              All Aliases and rules are good. Have swapped GW's to test DNS etc.

              I finally had success about an hour ago. Seems that the VPN provider's assurance of a particular location was not as accurate as it should have been. That cost me and them a lot of time. ;(

              So at this stage I would say the router and its config are ok. Performs and tests as it should. Thanks to your earlier advice.

              Ill call this thread closed. Thanks for your time.

              bmeeksB 1 Reply Last reply Reply Quote 0
              • bmeeksB Offline
                bmeeks @DDIC
                last edited by bmeeks

                @DDIC said in Bypass VPN Tunnel Interface - Outbound:

                Aware of CDN, but pfsense resolves all FQDN's in a lookup when the alias is used does it not?

                This is not necessarily 100% true. CDNs frequently alter IP addresses fairly rapidly, but the filterdns daemon that looks up FQDN aliases only updates every 5 minutes. Also it's entirely possible that at the precise moment when your client asks for the CDN IP that the IP will not match what the filterdns daemon received even just a few seconds earlier. All depends on the particulars of a given CDN setup with regards to localizing DNS lookups. This is also highly influenced by your choice of DNS configuration. For example, if your clients use something other than the exact same DNS that filterdns and the firewall is using, the IP lookups for a CDN could most definitely differ. Not saying it will never work, but using CDNs in a FQDN alias is not 100% foolproof.

                D 1 Reply Last reply Reply Quote 0
                • D Offline
                  DDIC @bmeeks
                  last edited by

                  Is that update frequency tuneable?

                  bmeeksB 1 Reply Last reply Reply Quote 0
                  • bmeeksB Offline
                    bmeeks @DDIC
                    last edited by

                    @DDIC said in Bypass VPN Tunnel Interface - Outbound:

                    Is that update frequency tuneable?

                    Not to my knowledge.

                    1 Reply Last reply Reply Quote 0
                    • johnpozJ Online
                      johnpoz LAYER 8 Global Moderator
                      last edited by

                      Its not a simple edit in the gui now, but anything can be changed/edited if you work at it hard enough... Not going to solve you problem anyway.

                      First thing you need to validate is the IPs you think should be in the table are actually in the table.. Maybe they are not even updating... Validation is step 1.

                      Step 2 would be to see if your actually going down the vpn or not... From that guide your trying do do something with netflix? They stomp on vpn access all the time.. That is a wack-a-mole game your not going to win.

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                      1 Reply Last reply Reply Quote 0
                      • D Offline
                        DDIC
                        last edited by

                        Been stable for 24 hrs now. All working as it should with VPN bypass Aliases in place. Should it stop again, I will definitely look at the IP's for the CDN and refresh them to see if that's it. Had not thought of that. Happy to post tables etc for others if it would be of help.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.