• I have a pfsense box with an incoming WAN connection and one LAN that is then split using an unmanaged switch to multiple connections. I have a Ruckus R600 Unleashed AP on one of the connections. I have created a separate SSID on my Ruckus AP with a separate VLAN setting of 99. I would like all clients connected to this SSID to be routed via PIA VPN. I have already setup an OpenVPN client with a Firewall alias for specific clients to go through this VPN. The issue is that if I want a client to be on the VPN only when needed, I would have to edit the alias file all the time to include/exclude clients. Instead, I was hoping to have a separate wifi SSID which is always routed through the VPN to which I can connect/disconnect as and when needed.

    What do I need to do to enable this setup?

  • LAYER 8 Global Moderator

    Sure that is simple policy route.. Just don't pull routes from your vpn service, since that will route everything out your vpn.

    Then on firewall rules for ssid/vlan you want to use vpn - policy route (change the gateway) to use the vpn on rules.. After you allow whatever local traffic you might want to allow.

    On your other ssid/vlan, just don't do that..

    https://docs.netgate.com/pfsense/en/latest/routing/directing-traffic-with-policy-routing.html


  • Thanks @johnpoz

    I created a new interface for my vlan 99 tag and enabled DHCP server on this on to a different subnet (192.168.2.0). In Firewall rules for this interface, I did an allow for all traffic from this with my PIA gateway.

    After doing this, I connected my client to the new SSID, but I am not able to get on to the internet. Also, since I am under a different subnet, the pfsense router IP is also under this subnet now, which I can access, but no outside world access. How do I go about debugging this?

    Also, considering that I am using an unmanaged switch (actually the Ruckus is behind a second unmanaged switch), the vlan tag is still being passed through and not stripped out, right?

  • LAYER 8 Global Moderator

    Did you modify your outbound nat to nat to your vpn interface. Change to hybrid and add a nat to your vpn interface..

    Unmanaged switch - not sure how you expect that to work.. It sure isn't secure.. Its ends up just being multiple layer 3 over the same layer 2.

    No dumb switches should not actually strip the tag... But it is not the correct way to do it, and there is no actually isolation..


  • @johnpoz I went ahead and copied over the outbound nat rules I had setup for my earlier PIA interface (where I had setup IP address based VPN routing for my other subnet). I made the necessary changes related to the Interface (VLAN interface instead of PIA interface) and subnet change to 192.168.2.0 instead of 192.168.1.0.

    I am still not able to connect to the internet.

    Btw, I understand that an unmanaged switch is not the correct approach, but for now this is all I have handy. I will go down the path of using managed switches in the near future.