Only send certain port through VPN
-
I've got a topology that is simply: modem -> pfsense box -> devices.
I have OpenVPN setup (expressVPN), and when I check my public IP address, it correctly comes up as my VPN.
However, I want to modify it so that only TCP/UDP ports 999-1000 (just an example) go through the VPN interface, and the rest of the traffic goes through my ISP address.
How can I do this, and how can I test that it is in fact working?
I THINK I set it up, but I am not sure how to verify. So I'm hoping someone can point me in the right direction as far as what needs to be configured to get this all done. (firewall rules, NAT, port forwarding, etc.)
And once I do set it up, how can I verify that the port(s) I have open are accessing the internet with my VPN IP address?
Thanks in advance for any help.
-
@rsherga
In the OpenVPN client settings check "Don't pull routes" to permit the client to set the default route.Assign an interface to the vpn client instance and enable it if you didn't already.
Then add a policy routing firewall rule to the internal interface. Enter the source IP or an alias for multiple if you want to specify. At destination leave the address at any and enter the destination port range.
Expand the advanced options and select the VPN gateway.
Put this rule to the top of the rule set so that it matches first.I assume, you your outbound NAT is already set to work with the VPN.
To verify that the packets go out on the VPN interface, you can sniff the traffic using the packet capture tool on pfSense, while you try a connection to the concerned ports.
To ensure that nothing goes out to WAN you can add a floating block rule for direction out with Quick checked and state the ports in regards.