Issue with Routing Around Work VPN

  • I am running pfSense 2.0 with multiple subnets.  I have 3 local subnets: BLUE, GREEN, and RED, each of which is on a separate NIC.  RED is used to connect my web server to the outside world via forwarded ports 80 and 443.  GREEN is where most of my machines live and BLUE is used for things like my work laptop, guest access, etc.

    I access a web application running on my web server (RED interface) both locally and remotely.  For local access I have a DNS override that points to the web server's local address on the RED subnet.  This works fine for local access from both my GREEN subnet and my BLUE subnet, including from my work laptop on the BLUE subnet without the VPN enabled.

    But, when I am connected to my work VPN any attempts to access the web application redirect to the firewall login page.  Likewise, I cannot connect to my print server, which is also on the BLUE subnet, when the VPN is active.  I think that the work VPN routes everything but traffic within the subnet that I am connected to.

    So, the bottom line is, how do I make these network resources that are on my GREEN and RED subnets appear as if they are on the BLUE subnet so that they are still accessible when I am connected to my work VPN?

  • You've got a couple of options. The correct one is to talk to your work to find out what their restrictions are to ensure that you don't find yourself unemployed.

    Otherwise, once the VPN is up you can create static routes for the local networks, though depending on how the VPN is configured (such as refreshing the routes every minute) you may find that it doesn't work for long.

  • My work laptop is heavily locked down so I am unable to create static routes.  Any workarounds will have to come from routing on my firewall.

    Is there a way to route traffic to a BLUE IP address to my GREEN interface?  Would it simply be an internal NAT?

  • Once you start the VPN the firewall has no say in anything - all traffic is most likely tunnelled across the VPN by default. If you want to do anything you're going to have to talk to your work.

  • I know that traffic within my subnet is not routed across the VPN.  So, can I use an internal NAT to route traffic to another subnet via an IP address on my subnet?

  • Netgate Administrator

    Since you are met with the pfSense login page you might try using NAT reflection instead of local DNS overide. You have nothing to loose.
    Also try running a traceroute to your server under various conditions.

    Speculation: When you run the VPN client it connects to your work VPN server and is handed IP details including gateway and remote DNS servers. That becomes the default route on your laptop. You can still connect to your local subnet since that is in the local routing table. When you then try to access your server (on RED) by URL the remote DNS servers hand back the WAN IP of your pfSense box. Here's the part I don't fully understand, your laptop then tries to access the WAN IP but it somehow already has a route to it via your local LAN. Trying to access the WAN IP fro the LAN side of pfSense brings up the login. NAT reflection should take care of that for you. Why it doesn't get routed out through the VPN I'm not really sure. Perhaps it does and the resulting strange circular route is what is causing the problem. Traceroute should show that.


Log in to reply