Dedicated VLAN+VAP for Openvpn client - no net for main network



  • My goal is to have a dedicated Virtual AP (named vpn bbc, in my case) for my openvpn client connection to vpnunlimited UK server.

    From the attached diagram, my pfSense connects to my dd-wrt AP with main network subnet 192.168.2.x. There are a number of VLANs and VAPs for my iot and guest devices. My main network can access the iot and guest devices, but not the other way. These are all working fine. DHCP/DNS/firewall rules for all of them are managed by pfSense.

    I've created another VLAN (6) and VAP to support the VPN clients (I want to see BBC iplayer program). The VLAN/VAP itself without OpenVPN client is working fine as usual. But when I create the OpenVPN client by following the guide from vpnunlimited here:
    https://www.vpnunlimitedapp.com/en/info/manuals/pfsense-configuration-guide
    I have the following situation, when I connect my pfSense to Openvpn client:

    1. the openvpn client connected successfully
    2. when I connected to my VAP which dedicated to the vpn (vpn_bcc), I have internet connection, and whatismyip reports my location as UK site. I can play BBC iPlayer video without problem
    3. but when I switch my connection to my main network (192.168.2.x, 192.168.4.x, 192.168.5.x), there is no internet

    So in summary, whenever pfSense connects to openvpn client, no internet connection on all networks, except the VAP (vpn bbc) which I intend to. Any suggestion I have done something wrong or not enough?

    If you would like to see more of my setup on PfSense, please let me know.
    fyi, I also have openvpn server running (allow to securely connect to my local network from outside). I don't think it is relevant, though.

    Thanks.

    8832cb52-c907-463b-a30b-a70405595554-image.png

    Here is my setup on pfSense:
    Interface:
    47110d42-b4af-485e-b888-daa208e806c8-image.png

    No rule for the Openvpn client
    0954b6d9-b9f6-4d71-bbea-a4933d9d8aee-image.png

    Rules for the VLAN6 which dedicated to vpn_bbc
    1af98e44-188b-4e7f-ab75-ac9a6be94934-image.png

    Alia
    1ee63742-96b6-43db-a309-daeadf23c551-image.png

    outbound NAT part 1
    4d23aa0a-880b-4810-a2f0-8bb88da7239a-image.png
    outbound NAT part 2
    20b4c46c-e6eb-4838-b104-dbcf8fb1b819-image.png

    VPN client setting:
    35ef1e31-78bb-4667-bbd9-52b945125913-image.png

    Interface assignment:
    c4ca7fda-28c5-4abb-bdf3-2d79bf70cffd-image.png



  • additional LAN rule
    dd38085a-dd38-4300-9657-c0ccfaa3603b-image.png



  • Update:
    Thanks to this guide: https://blog.monstermuffin.org/tunneling-specific-traffic-over-a-vpn-with-pfsense/
    I need to do two more things on the vpn client settings:

    • check the "Don't add/remove routes"
    • add "route-nopull" in the Custom options
      Now it works as it should be, i.e., my virtual AP VPN_BBC has 7/24 vpn whilst my other subnets have normal internet traffic.
      a81384b2-9851-4ef9-8814-327a8b2cbe0a-image.png

Log in to reply