Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Issue with Routing Around Work VPN

    Scheduled Pinned Locked Moved General pfSense Questions
    6 Posts 3 Posters 2.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      ResIpsa
      last edited by

      I am running pfSense 2.0 with multiple subnets.  I have 3 local subnets: BLUE, GREEN, and RED, each of which is on a separate NIC.  RED is used to connect my web server to the outside world via forwarded ports 80 and 443.  GREEN is where most of my machines live and BLUE is used for things like my work laptop, guest access, etc.

      I access a web application running on my web server (RED interface) both locally and remotely.  For local access I have a DNS override that points to the web server's local address on the RED subnet.  This works fine for local access from both my GREEN subnet and my BLUE subnet, including from my work laptop on the BLUE subnet without the VPN enabled.

      But, when I am connected to my work VPN any attempts to access the web application redirect to the firewall login page.  Likewise, I cannot connect to my print server, which is also on the BLUE subnet, when the VPN is active.  I think that the work VPN routes everything but traffic within the subnet that I am connected to.

      So, the bottom line is, how do I make these network resources that are on my GREEN and RED subnets appear as if they are on the BLUE subnet so that they are still accessible when I am connected to my work VPN?

      1 Reply Last reply Reply Quote 0
      • Cry HavokC
        Cry Havok
        last edited by

        You've got a couple of options. The correct one is to talk to your work to find out what their restrictions are to ensure that you don't find yourself unemployed.

        Otherwise, once the VPN is up you can create static routes for the local networks, though depending on how the VPN is configured (such as refreshing the routes every minute) you may find that it doesn't work for long.

        1 Reply Last reply Reply Quote 0
        • R
          ResIpsa
          last edited by

          My work laptop is heavily locked down so I am unable to create static routes.  Any workarounds will have to come from routing on my firewall.

          Is there a way to route traffic to a BLUE IP address to my GREEN interface?  Would it simply be an internal NAT?

          1 Reply Last reply Reply Quote 0
          • Cry HavokC
            Cry Havok
            last edited by

            Once you start the VPN the firewall has no say in anything - all traffic is most likely tunnelled across the VPN by default. If you want to do anything you're going to have to talk to your work.

            1 Reply Last reply Reply Quote 0
            • R
              ResIpsa
              last edited by

              I know that traffic within my subnet is not routed across the VPN.  So, can I use an internal NAT to route traffic to another subnet via an IP address on my subnet?

              1 Reply Last reply Reply Quote 0
              • stephenw10S
                stephenw10 Netgate Administrator
                last edited by

                Since you are met with the pfSense login page you might try using NAT reflection instead of local DNS overide. You have nothing to loose.
                Also try running a traceroute to your server under various conditions.

                Speculation: When you run the VPN client it connects to your work VPN server and is handed IP details including gateway and remote DNS servers. That becomes the default route on your laptop. You can still connect to your local subnet since that is in the local routing table. When you then try to access your server (on RED) by URL the remote DNS servers hand back the WAN IP of your pfSense box. Here's the part I don't fully understand, your laptop then tries to access the WAN IP but it somehow already has a route to it via your local LAN. Trying to access the WAN IP fro the LAN side of pfSense brings up the login. NAT reflection should take care of that for you. Why it doesn't get routed out through the VPN I'm not really sure. Perhaps it does and the resulting strange circular route is what is causing the problem. Traceroute should show that.

                Steve

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.