Selective VPN Routing
-
@Hudson-1 Set 8.8.4.4 as your monitoring address for the vpn gateway, is it working? And show your LAN rules.
-
-
I'm not sure what is getting flagged as spam in my reply. Its infuriating. Here is a highly abbreviated version of my original response.
Setting that monitoring IP and checking Status > Gateways shows the VPN gateway as "Pending". Previously, It showed "Offline, packetloss 100%". That didn't concern me because the WAN gateway and one of my work VPN gateways showed the same. The other Work VPN gateway shows "Online"
I had followed the <VPN Vendor>'s guide for setting up their client in pfSense. However, I had to remove 'comp-lzo' from their reccommended "Custom Settings" string in order to establish the connection due to compression warnings/errors.
-
@Hudson-1 said in Selective VPN Routing:
Setting that monitoring IP and checking Status > Gateways shows the VPN gateway as "Pending". Previously, It showed "Offline, packetloss 100%". That didn't concern me because the WAN gateway and one of my work VPN gateways showed the same. The other Work VPN gateway shows "Online"
But it shouldn't if you use googles dns server as monitoring adress. So there is already your problem, your rules look ok.
-
@Bob-Dig Looking further into the Gateway settings. I decided to clear that google address. and check the box for "Disable Gateway Monitoring Action". That worked! My phone which is in the vpn hosts alias now looks like it's coming from the VPN when hitting a "show me my ip and location" site.
-
-
I would like to understand why the gateway looks down. Or pending when using an outside IP. I'd rather get it working properly but at least now my wife can stream the Rugby World cup on the T.V.
Thinking about it, I had trouble initially with my work1 set up too which is what lead me to put the remote subnets into the client configuration. I would prefer to get this set up where instead of blocking unauthorized clients, I'm instead flagging good traffic and routing them out the proper gateway, more like what's happening with this commercially provided VPN. (I think the spam filter doesn't want me mentioning them by name).
-
@Hudson-1 said in Selective VPN Routing:
I have configured NAT > Outbound rules such that source traffic from express_vpn_clients that is not destined for rfc1918 networks can be translated through the ExpressVPN connection
I guess, that was your fault.
This NAT rule only covers connections from the IPs in the alias, but not from pfSense itself. So the ping fails.
So either set the source to any or add an additional rule for pfSense.There is no need to limit the source in this rule. You ca far better control access with filter rules.
Also the RFC1918 alias as destination makes not really much sense. Your firewall rule should care that only non-rfc1918 destinations can go out on this interface.
-
@viragomann I didn't mention it previously but I do have another NAT > Outbound rule to translate from 127.0.0.0/8 to the VPN.
This is the same setup as on the the two work related VPNs as well.
-
@Hudson-1
So I expect, that pings to public IPs are working.
However, 8.8.8.4 is not a good advice. The server doesn't respond to ping requests obviously. Try 8.8.8.8 instead.
