Forcing traffic from one of 2 LAN subnets through VPN.

  • Hi all, new to PFSense so posting here hoping to get things straightened out. I've installed PFSense in proxmox and have configured 1 WAN gateway and 2 LANs, each with there own NIC linked to virtual bridges (vmbr) in proxmox. This is working, and virtual machines assigned the vmbr of LAN2 are assigned a DHCP address on LAN2. What I want to achieve is for all connections on LAN2 to use a vpn. I have followed some set-up instructions and connection status of the VPN is shown as 'up':

    However, nothing on LAN2 curently has internet access and a wired connection to the LAN2 NIC also fails to make a connection. My interface assignments look like this:
    Here are my outbound nat rules:

    I currently only have the default firewall rules for LAN and WAN. I tried copying the default allow any for LAN2 but it made no difference so I deleted it. What do I need to do to get LAN2 with functioning internet through the VPN? It must be simple but I'm afraid I don't have the requisite knowledge of PFSense yet.

  • You have to direct the LAN2 traffic to the VPN server by a Policy Routing rule.

    I assume, OPT1 is your VPN interface (you may give it a friendly name) and is your LAN2 network. So copy the LAN default rule again, change the interface to LAN2, expand the advanced options, go down to 'gateway' and select the VPN gateway.

    Keep in mind that the LAN2 devices have to use a public DNS, so that DNS traffic directed over the VPN as well. Otherwise, if they are using pfSense for DNS, you have to allow DNS access by an additional rule (the rule above only allows access to the VPN gateway not to pfSense) and if you want to avoid DNS leaking you should direct the whole DNS traffic from pfSense over the VPN.

  • Thanks for taking the time. So, I added the DNS servers in the DHCP settings and made a new firewall rule for Lan2 and added the vpn as the gateway:

    Once I did that, I lost all connection to the internet on LAN1?? However, it did briefly change the VPN gateways to online rather than pending.

    However, When it did that, it was the VPN_VPNV6 that was labelled as default. Have I made a mistake somewhere? Also, my VPN status is also showing IPV6 related settings, but I don't know why:

    It was also the same instead of N/A here (I renamed OPT1 VPN):

    I'm actually more lost than I was before. How did it affect internet access on LAN 1? I'm not sure where to go from here.

  • So your VPN isn't still working at all. Above you wrote, it's up already.
    There's no sense to route anything if the VPN is not established.

    Since it seems that you have no IPv6 setup in your LANs I'd recommend to disable the IPv6 gateway. To do so go to the VPN client settings and check 'IPv4 only' at 'Gateway creation'.

    As well check 'Don't pull routes' to avoid to get pushed the default route from the server.

  • Wow, that seems to have made it work, thanks a lot. I'm still not able to disable ipv6 though, which is strange as I've also disabled it in the gateways section, but even greyed out it is listed as default. Glad it's working at least partially how I'd hoped though - much appreciated!

Log in to reply