Routing and one particular subnet.

  • I have a network topology as shown in the enclosed diagram.  The ISP at blocks certain ports preventing my outlook from connecting to the exchange server at [obviously a fictitious address], but outlook can connect through the ISP at  I test this by bringing my laptop to both locations and it works at one, but not the other.

    Since I have a site to site VPN between the two subnets ( and, I was wondering if it would be possible to have all traffic going to routed through the OpenVPN tunnel and out the internet link @

    They're obviously both pfsense boxes.  Any help on how to do this would be great.


    ![WAN Network Topology.jpg](/public/imported_attachments/1/WAN Network Topology.jpg)
    ![WAN Network Topology.jpg_thumb](/public/imported_attachments/1/WAN Network Topology.jpg_thumb)

  • you could try putting a static route on with these settings:

  • whoops…


  • Didn't work.

    A traceroute shows it dies after the first hop of the openvpn tunnel.

  • Hmm…
    I've done this in the past but with IPSEC tunnels rather than OpenVPN tunnels. Oh - yeah, that was also on IPcops and not pfSense  ::)
    It really depends where the tunnel entry points are in relation to the static routing of the pfSense. Probably needs somebody with more knowledge of the pfSense routing than I have.

    Can you ping from the console of the pfSense on, or can you only ping it from a machine on the network?

  • I can ping from the LAN interface on just fine.  The WAN doesn't work (obviously) ;)

  • the destination network on the static route should be a /24 not /32 as I suggested if you want the whole network to route over the VPN.

    Maybe you need a rule on to allow traffic from
    Using IPSEC there would be a specific IPSEC tab on the Firewall Rules page but I guess there isn't for Open VPN?

    Anyone else offer a suggestion?

  • This might be a bit hacky.
    I assume you can already communicate between both sides.

    You need on the side on which it works an advanced outbound NAT rule.
    Create one at the top with source the other subnet and interface WAN.
    With this you allow traffic from your side to be NATed to the internet on the other side.

    Now create under the loadbalancer a dummy-pool.
    Save this, downloadnthe config.xml and edit this dummy pool to reflect the tunnelIP of the other side.
    Restore the config.
    On your side create on the firewall lan tab a new rule with as destination the ip(s) you want redirected and as gateway your new loadbalancerpool.

    (sorry writing on iPhone… If you dont understand the part with the poolediting and config.xml search the forum for this. I explainit better elsewhere)

Log in to reply