Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    VPN policy routing

    Scheduled Pinned Locked Moved OpenVPN
    4 Posts 3 Posters 790 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      Stan
      last edited by

      I recently installed a PIA VPN using OpenVPN and ran into issues that have been resolved, but I don't understand why. Maybe my pfSense is mis-configured.

      Context: I have several VLANs and want to run some of the devices in some of the VLANs through the VPN.
      I added an interface for OpenVPN named PIA, and in Firewall/NAT/Outbound added the PIA interface only for the VLANs for which I wanted to direct traffic to the VPN.

      The first issue was that I couldn't access other VLANs from my main VLAN. Without the VPN rule, the “Default allow LAN to any rule” (which does not use the Advanced settings) did permit unrestricted access to other VLANs. However, when I added a similar rule for VPN (“anys” all the way across but with the advanced setting under Gateway for the PIA interface) above the Default rule, I wasn’t able to access other VLANs. To solve that problem, I had to add a firewall rule in my main network to permit access to other VLANs (e.g., 192.168.0.0/16). I don't understand why the VPN rule similar to the Default allow LAN to any rule would behave so differently.

      Also, the traffic from all devices on all of the VLANs was routed to the VPN, even from the VLANs for which I had not added the PIA interface under Firewall/NAT/Outbound. To fix that, I had to modify the “Default allow LAN to any rule” for all of my subnets. I needed to get into the advanced settings and specify the WAN interface under Gateway. That is normally set to default, but I had already set WAN as the default interface under System/Routing/Gateways, so that wasn’t enough. This is unexpected and seems counter-intuitive.

      I’m relatively new to pfSense, so maybe I've mis-configured something. If so, I'm anxious to know how to properly configure the router. If my configuration is appropriate, I wonder whether modifications could be made so that the policy routing could be more intuitive or if additions to the documentation could make things easier.

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @Stan
        last edited by

        @stan
        If you state a gateway in a firewall rule, it direct all the traffic which matches to that gateway (policy routing).
        The parameters for matching are: interface, protocol, source address, source port, destination address, destination port.

        So I assume, the traffic to the other subnet might matched, since the rule allow any destination).
        You have either to care for that the rule doesn't match to internal traffic or place a rule for internal traffic to the top.
        In both cases you need to restrict the destination. This can be done by an alias containing different networks to be applied in the rule.
        I use an alias containing all RFC 1918 networks, i.e. only privat networks. So you could use this alias in your policy rouiting rule as destination while checking "invert". This means, the rule only matches to traffic destined to adresses which not belongs to the RFC 1918 alias. So since your internal networks should be part of RFC 1918, the rule doesn't match to internal destinations.

        The other part of your problem, when the gateway in the rule is set to "Default" it means the traffic is routed accordingly the routing table (to the default gateway or static route). Only this option allows internal traffic w/o passing a gateway.

        The VPN provider usually pushes the default route to the clients. So if you are connected, it sets the default gateway to the OpenVPN server. Since you are missing the outbound NAT rules for the other networks, accessing internet resources did not work.
        To avoid that, check "Don't pull routes" in the client settings.

        S M 2 Replies Last reply Reply Quote 2
        • S
          Stan @viragomann
          last edited by

          @viragomann :

          You're the best. Responsive and knowledge.

          The thing I didn't understand is that selecting a gateway in the rule other than Default directs all matching traffic only to that gateway, unlike where the default gateway choice is left alone. I added the inverse destination you suggested.

          That didn't work for internal traffic at first, but then I realized that I'd selected the WAN gateway in the following Default allow any to LAN rule, and so that prevented interLAN traffic. (I had done that for all VLANs in order to enable access to the internet for those without the additional NAT rules.)

          So I selected the "Don't pull routes option in the OpenVPN client definition and then changed the gateway in the Default allow any to LAN rule to Default. I've deleted the additional rule above the VPN rule that allowed access to other subnets. This is more elegant, and things seem to be working.

          Thanks again.

          1 Reply Last reply Reply Quote 0
          • M
            moelassus @viragomann
            last edited by

            @viragomann

            Thanks for this explanation. I was having similar challenges and checking "Don't Pull Routes" fixed my issue.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.