Firewall (as itself) defaults to VPN gateway not WAN gateway. Where do I change that?


  • I have multiple OpenVPN (i.e. NordVPN, PIA) Gateways set up in a group and LAN rule to set the gateway group as the default gateway for most servers. Some servers use a rule to bypass the VPN(s) and force the WAN (static IP) gateway. That all works fine.

    When I attempt to download custom packages via pfSense shell, the IP address of the firewall shows as one of the OpenVPN gateways (Not the WAN static IP of the firewall). That is not a big deal as I don't do it often.

    However, I'm trying to issue/renew ACME / Let's Encrypt certificates and it's failing because it thinks my IP address is one of the VPN IP addresses. If I disable all my OpenVPN connections, the certificates validate because now the pfSense firewall IP address shows (correctly) as the static WAN IP address.

    In order for the cron / auto-renew process to work, I must get the firewall to use the WAN IP address and NOT use one of the VPN gateways, even when they are enabled. What is the best way to do this?

    In other words, my primary question is : How do I force the pfSense firewall iteslf to bypass any VPNs when reaching out to the internet (i.e. downloading updates / renewing Let's Encrypt certs on port 80)?

    I was thinking I could create a rule, but I don't know what that rule would be. If it is a rule, would be a LAN rule? WAN rule? What would be the source? Maybe there is some other setting somewhere I'm not aware of?

    Thanks in advance.