No lan to wan after installing openvpn package...

JimS

Just getting started with pfsense. pfsense was set up by someone else and basic traffic was passed from lan to wan. I installed openvpn client and have it connected to a VPS with openvpn server which works to give me access to local network (behind CGNAT). However it seems to have broken my access to the internet on wan port. There is a rule to pass traffic from lan to wan, any protocol. Source is lan net, dest is wan net. But logs show traffic is blocked.

JKnott

@jims

One of the options is to force all client traffic through the VPN. Have you enabled that?

stephenw10

What is actually shown in the firewall logs?

JimS

@stephenw10 Firewall shows lan interface Default deny rule IPv4 source is my pc, destination is ip of pfsense lan port.

stephenw10

Destination WANnet does not include the LAN IP. Or anything outside the actual WAN subnet.
That's probably not the rule you want. Let's see a screenshot of your LAN rules. The default anti-lockout rule should pass that.

Steve

JimS

@stephenw10 Lan rules.

JimS

@jims I changed destination from wan to any and it is working. Can someone explain why wan doesn't work?

JimS

@jims And if I have an openvpn port how does the lan traffic get directed to the wan port instead of the openvpn connection?

stephenw10

The system aliases for each interface (LANnet, WANnet etc) are only the actual interface subnet.

So often your ISP will provide your WAN IP and subnet something like 1.2.3.4/29 or maybe only a single IP if it's PPP connection. WAN net is only the IPs in that /29.

It's a common mistake with new users because many other firewalls with zone based filtering use the WAN 'zone' to mean the entire internet.

Traffic routing from LAN via WAN or OpenVPN would depend on the system routing tables since the LAN rules do nor have any policy based routing on them (a gateway set).
The system routing tables are usually updated by the OpenVPN client when it connects based on whatever the server passes it. Most commercial providers will pass a new default route. Often that's undesirable so you can set the OpenVPN client to ignore routes passed to it and use policy based routing instead. That's what I do.

Steve