Routing only one port on NIC through openvpn



  • Hello, I am brand new to pfsense and I could use some help. I have pfsense up and running now with my modem running igb0 as WAN and a Netgear router in bridge that serves the rest of my network connected to igb1 as LAN. I would like to connect the igb2 ethernet port to directly to another device but have all its traffic and only it's traffic routed through openvpn. What's the best way to achieve that? Thanks!

    I have mullvad vpn, the new device would be a raspberry pi. I haven't set up mullvad at all in pfsense but here are their instructions



  • @chuccck

    You'd have to configure routing so that only traffic for that port's IP subnet is allowed.



  • @JKnott
    Thanks for the reply! I guess I need step by step instructions because what you said makes sense but I don't know how to do it



  • First things first.

    @chuccck said in Routing only one port on NIC through openvpn:

    my modem running igb0 as WAN and a Netgear router in bridge that serves the rest of my network connected to igb1 as LAN.

    A modem to bridge your internal networks to the outside, ok.
    pfSEne as a router and firewall, right on !
    Why another router - the Netgear ?

    @chuccck said in Routing only one port on NIC through openvpn:

    connect the igb2 ethernet port to directly to another device

    Like a second LAN ? That's rather classic. Like 192.168.1.1/24 - the LAN, for your devices. And a second LAN, initially called OPT1, 192.168.2.1/24 for the non trusted devices, or DMZ, or whatever.

    Btw : Dono what mullvad is.

    @chuccck said in Routing only one port on NIC through openvpn:

    but have all its traffic and only it's traffic routed through openvpn.

    So the gateway of this igb2 interface isn't the 'default' gateway (see System > Routing > Gateways) but a .... actually, what type of VPN are you talking about ?
    VPN-Client ?
    VPN-server ?

    You saw the dedicated OpenVPN section ?

    I advise you to check out the manual first. pfSense uses a GUI to set things up. No cryptic command lines, true, but still : not reading manual is making you going nowhere.
    Btw : check out also the Youtube => Netgate channel. Several OpenVPN related videos exist.


  • Netgate Administrator

    I assume the Netgear is running in 'bridge mode' here. So as an access point / switch only.

    This should be pretty easy. First setup igb2 as a second LAN as Gertjan said above. So assign it, enable it and set it as an unused static subnet. Enable DHCP on the new interface if you need it. Add a firewall rule on it to pass whatever traffic you need. Now make sure the RasPi has general internet access via the WAN.

    Configure the OpenVPN client to connect to your service. Assign the client as an interface, this will give you a gateway to route through. The VPN service will probably send a redirect route when you connect which will change the system default route and send all traffic over the VPN. Set Don't pull routes to prevent that.

    Now set that gateway on the firewall rule on the igb2 interface so that any traffic passed by it is sent over the VPN.
    You might need a rule to pass DNS traffic locally if it still needs access to that.

    If you don't want traffic from the RasPi to go over the WAN if the VPN goes down you can set Skip rules when gateway is down In Sys > Adv > Misc.

    Steve



  • @stephenw10 @Gertjan
    Wow, thanks for the detailed replies! I am glad to find a welcoming place to ask such newb questions.

    To answer a few questions, yes the netgear router is just connected as a swich in AP/Bridge mode. It does nothing but serve wifi and act as a basic switch.

    Yes, basically I want to do a second LAN but have the raspberry pi connected to it have all its traffic routed through the openvpn. I have Mullvad VPN service and I am only familiar with their windows client. I intend to to set openvpn to route the second lans traffic through mullvad (i believe that means setting up the client side in openvpn settings, but not sure). I will check out the openvpn forums for further help.

    I will run through your steps tonight will I get home from work. Thanks again for your help!


  • Netgate Administrator

    We did a hangout on this a few years ago you might like to watch: https://youtu.be/lp3mtR4j3Lw



  • @stephenw10 @Gertjan

    thanks guys! I got the port active and getting traffic through the WAN. I am struggling with the openvpn piece of it though, following these instructions but the status/openvpn shows down, unable to contact daemon. Nonetheless, getting the port active is a huge accomplishment (no sarcasm, I was struggling). I will take the openvpn/mullvad settings questions to the openvpn forum this weekend. Thanks again.


  • Netgate Administrator

    If the status page is not able to see the daemon running it was probably unable to start because of a config error.
    Check the OpenVPN logs. They will usually show exactly what's failing.

    That guide, like most other guides from VPN providers, is for sending all your traffic over the VPN and will break anything using the WAN. It's better to selectively send only the traffic you need over the VPN in many situations. It certainly is here where you have only one interface using the VPN.

    Steve



  • @stephenw10

    Thanks. I'll look into it tonight.

    One thing I forgot to ask about is I am having trouble accessing some of my other computers on the normal LAN. I can ping some of them, but the pcs that have static IP addresses with port forwarding rules all show no response


  • Netgate Administrator

    If you're trying to ping them by hostname then pfSense probably doesn't know them unless you have added them as static entries. You probably have DHCP set to update the DNS server with hostnames when they get a lease so it can resolve those clients.

    You should be able to ping them by IP directly though.

    Steve



  • @stephenw10

    Actually I was pinging them by ip address and not hostname and getting no response


  • Netgate Administrator

    Ok, if you only have a firewall rule with the OpenVPN gateway set it will force all traffic out that way which will break connectivity to the LAN.
    Add a rule on the new interface above any rules with a gateway set to pass ping traffic to the LAN.

    Otherwise check the firewall logs. Check the state table while you're pinging.

    Steve


Log in to reply