Routing and OpenVPN

DrJon

Hi, I hope this is in the correct area, apologies if its not. I am new to pfsense and new to OpenVPN.

I have managed to get NordVPN set up and working and it covers all devices on my LAN.
I went to use Amazon PRIME on my Fire TV but it has detected I'm using a VPN.
The VPN is primarily to keep our data secure and private rather than bypassing geoIP restrictions.
What I'd like to do is have a group individual devices bypass the VPN and just use the standard ISP connection.
I am not sure how to achieve this as the VPN covering the whole LAN connection to the switch.
I have done some reading to try and find out, such as adding static addresses and ailias? but for devices such as a fire tv stick I don't know to set it a static IP from the device and as my LAN is providing DHCP I don't know how I can or if I can assign it from within pfsense.
Can you use MAC addresses rather than IP as these won't change where an IP theoretically can?

As you can probably tell I'm a little confused about what I need to do and how I do it.
If anybody can help I'd be very much obliged.

viragomann

@DrJon said in Routing and OpenVPN:

I am not sure how to achieve this as the VPN covering the whole LAN connection to the switch.

It just sets the default route pointing to the VPN server.

@DrJon said in Routing and OpenVPN:

Can you use MAC addresses rather than IP as these won't change where an IP theoretically can?

Not in a rule directly in pfSense, but you can use it on the DHCP to assign a static mapping to the firestick. So in the end it has a static IP.

After that you can use that IP in a policy routing rule, where you can direct access to addresses in internet to the WAN gateway.

DrJon

Great, thankyou. How do I do that, could you give me an example?

viragomann

@DrJon said in Routing and OpenVPN:

Great, thankyou. How do I do that, could you give me an example?

What? The rule or the static mapping? Don't know how you provide DHCP.

DrJon

@viragomann said in Routing and OpenVPN:

@DrJon said in Routing and OpenVPN:

Great, thankyou. How do I do that, could you give me an example?

What? The rule or the static mapping? Don't know how you provide DHCP.

Both if your able to. DHCP is provided from pfsense on the LAN port.

viragomann

For the static mapping go to Services > DHCP Server > LAN and down to DHCP Static Mappings for this Interface > Add. Enter the MAC, a Client Identifier for you and an IP to map to it, which must be outside of the DHCP pool. Hostname and Description are optional.

Got to Firewall > rules > LAN and add a rule to the top of the rule set:
Action: pass
Source: the IP you have mapped to the firestick
destination: check invert and select "This firewall"
open the Advanced options, go to gateway and select the WAN GW.

DrJon

great, thankyou! that worked...eventually, various restarts from the pfsense to the access point (R8000 Nighthawk, soon to be replaced). not sure if its a router issue or a pfsense issue or user issue but I have had to forget and re-add the network AP to a few of the devices that seem to be having connection issues, this has solved on those devices so far.

nirmalts

@viragomann said in Routing and OpenVPN:

destination: check invert and select "This firewall"

Short question: What's the motivation behind this invert

viragomann

@nirmalts said in Routing and OpenVPN:

@viragomann said in Routing and OpenVPN:

destination: check invert and select "This firewall"

Short question: What's the motivation behind this invert

The rule passes all traffic from the firestick to the WAN gateway. But assuming pfSense provides services like DNS or NTP to the LAN devices, pfSense has to be excluded from destinations. Without that, no access from firestick to these services would be possible.

Of course, the access to the pfSense should be more restricted, but that's not part of this thread and is possibly already done by other rules.

DrJon

I have noticed that randomly the routing and rule set up I used in this seems to not be working as it should. Namely, the rule for the firestick bypassing the VPN for the post part works but sometimes it doesn't. I'm not sure why or what I can do to fix it.

viragomann

How did you determine this?
What is the real problem?

If you think, the rule isn't applied, enable the logging in all rules on that interface and also the logging of the default block rule in Status > System Logs > Settings.
Then look in the log, which rules were applied on upstream traffic from the firestick.

DrJon

@viragomann thanks, will do.