Ip "free outbound" from NordVPN

dominusdj

Hi everyone, I followed the instructions from the NordVPN site to set up the VPN directly on the firewall to "protect" all traffic on my home network.

For info on the procedure I followed:
https://support.nordvpn.com/Connectivity/Router/1089079142/pfSense-2-4-4-setup-with-NordVPN.htm

But now I find the SKY decoder that no longer allows the download of the films (I could not understand why)

At this point I would like to create a rule to let the decoder out of sky directly, without going through NordVPN.

Is anyone kind enough to help me on the rule to create on pfSense?

Thank you all!

viragomann

@dominusdj said in Ip "free outbound" from NordVPN:

But now I find the SKY decoder that no longer allows the download of the films (I could not understand why)

Presumably they don't like NordVPN likewise most other VPN providers.

You need to add a policy routing rule to direct the upstream traffic from the box out to the WAN.
Since I guess, it need to access different IPs, best way is to add an alias of type IP/network (Firewall > Aliases > IP) and add all RFC 1918 networks to it, call it RFC1918.

Then add a pass rule to the top of the interface which is facing to the box:
protocol: TCP/UDP (presumably)
source: single host or alias > IP of the box
destination: single host or alias > RFC1918
Expand the advanced options, go down to Gateway and select the WAN gateway from the drop-down
Save the rule.

Should work after then.

dominusdj

@viragomann tanks a lot for fast reply!!!

I added a new alias called RFC1918 but

I can't undestand which is the second menu I have to open to add the pass rule, probabily in rules?

Do I need to add a new DNS to not use NordVPN's to match the WAN?

Thanks a lot and sorry for my inexperience

viragomann

Yes, a filter rule like that.

@dominusdj said in Ip "free outbound" from NordVPN:

Do I need to add a new DNS to not use NordVPN's to match the WAN?

That might be an issue. It could end in DNS leaking, when DNS requests are going out to the VPN.

If you have no need to filter the DNS of the box, the easiest way is to use a public DNS on that device.
The filter rule would direct it out to WAN, but you have the change the protocol to TCP/UDP.

dominusdj

@viragomann there something wrong.
Doesn't work

For DNS, ok I have added manual google DNS on SKY decoder.

It is really strange because I see the preview of the movie covers on the SKY decoder but only the download not works

viragomann

@dominusdj
At destination you have to enter the alias name!

dominusdj

@viragomann thit is Alias:

and this is the setting rule

viragomann

@dominusdj
The RFC1918 (private networks) alias should look like this:

But something that I had forgotten: You have to check the invert box at destination!

This means the rule is applied to any destination which is not contained in the stated alias. I.e. all public IPs (not private).

dominusdj

I`m so sorry but not work

viragomann

@dominusdj
Possibly there is still a connection over the VPN open.
You can try to kill the states (Diagnostic > States).

It should work. Is the rule still on the top of the rule set? Are there any rules on the floating tab?

viragomann

@dominusdj
Dude, you have to add the rule to the internal interface!!!

@viragomann said in Ip "free outbound" from NordVPN:

Then add a pass rule to the top of the interface which is facing to the box:

dominusdj

@viragomann said in Ip "free outbound" from NordVPN:

Dude, you have to add the rule to the internal interface!!!

Thank you very much, it had escaped me, now everything works perfectly.
You were too kind!

Thanks again