Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Dual-WAN with Policy Routing

    OpenVPN
    2
    3
    522
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      Knopper
      last edited by

      I have a Dual-WAN setup with pfSense and I have been able so far to direct specific traffic through a specific WAN interface using firewall rules and the Gateway advanced option. This works for traffic coming on the LAN interface, also for traffic coming on the IPSec interface, however I have not been able to achieve it for traffic coming on the OpenVPN interface. The NAT configuration is hybrid, so there are automatic rules and I have also created manual rules to override the automatic rules in these specific cases. According to the documentation, manual rules should have precedence over automatic rules if both match:

      ab093660-ba7d-4153-b338-aca63431cad8-image.png

      So, in overall I have two rules:

      1. On the OpenVPN interface matches all traffic from the OpenVPN clients using the OpenVPN network and selects the required gateway.
      2. Outbound NAT rule: Matches the OpenVPN network and performs Source NAT on the packets with the interface IP address of the required gateway.

      Nevertheless, the traffic goes out through the other WAN interface which is the current default gateway. Am I missing something, or this just won't work with OpenVPN for some reason?

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @Knopper
        last edited by

        @knopper said in Dual-WAN with Policy Routing:

        So, in overall I have two rules:

        1. On the OpenVPN interface matches all traffic from the OpenVPN clients

        On the "OpenVPN" rules tab or did you assign a specific interface to the OpenVPN server?

        Is it a client access server, but not a site-to-site, where you want to access the VPN from a network behind the client?

        K 1 Reply Last reply Reply Quote 0
        • K
          Knopper @viragomann
          last edited by Knopper

          @viragomann

          Thanks for answering. Yes, it is a Remote Access configuration, not S2S. I forgot to include that I am also utilizing RADIUS-controlled ACLs, so the user connecting is getting a specific ACL configuration. It seems that when the RADIUS server returns ACLs, no other rules are evaluated which are locally configured on the firewall. And indeed, no rule was matched while I tested. As soon as I removed the ACL coming from the RADIUS server, they started to match, and packets started to get out the correct WAN interface. I tested this with an assigned interface for the instance, but I suppose it will work without it too.

          Now the question is: will it be possible to achieve this while preserving the ACLs from the RADIUS server or these are mutually exclusive? I don't think the RADIUS server can pass a rule for policy routing, so it's just a packet filter. If it is not possible, maybe just get rid of the RADIUS ACLs, create another instance of OpenVPN, assign it to an interface and do the filtering there? The idea is to have different ACLs for different user groups.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.