Setup Policy Based Routing and Multi VPN That Stop Certain IP's from Internet

archedraft · Oct 28, 2013, 7:59 PM

How to use Policy Based Routing and Multi VPN

1. Make 2 VPN clients

I Followed this guide http://www.komodosteve.com/archives/232
NOTES: I used the same server port for both VPN's
NOTES: I added the following commands into Advanced Config (When pfSense first boots it will randomly pick of the the 3 VPN_IP's
SCREENSHOT: OpenVPN Client 1
SCREENSHOT: OpenVPN Client 2

remote_VPN IP_#1 Port#;
remote VPN_IP_#2 Port#;
remote VPN_IP_#3 Port#;
remote-random;

2. Check to make sure you have three gateways: System -> Routing - Gateways (WAN_HDCP, USA VPN, EU VPN)

SCREENSHOT: System Gateways

3. Next go to Firewall -> Aliases

This is where you will setup two aliases for the USA VPN's and EU VPN's
Make sure you have static IP address for the machines

4. Next go to Firewall -> Rules -> Lan

I made 3 rules (1 that redircts the EU vpn through the EU gateway, 1 that redirects the US vpn through the US gateway, and 1 that selects every other IP address not specified in aliases and sends it to the defualt WAN gateway)
Proto: ANY, Source: Alias, Gateway: VPN
SCREENSHOT: Firewall Rules 1
SCREENSHOT: Firewall Rules 2

5. Next go to Firewall -> NAT -> Outbound

First delete all rules
Select "Automatic outbound NAT rule generation" and click save
Select "Manual Outbound NAT rule generation" and click save
This should auto created any rules needed for the VPN's
Now create a rule that will stop traffic if the VPN is down
Click "Do not NAT", Interface "WAN", Protocol "any", Source "Alias"
MAKE SURE you move the rule to the top of the list as pfsense carries out rules from top down
SCREENSHOT: Firewall NAT Outbound 1
SCREENSHOT: Firewall NAT Outbound 2

5. Next to go Firewall -> Rules -> Floating Rules

Action "Block", Interface "WAN", Direction "any", Protocol "any", Source "alias"
SCREENSHOT: Firewall Rules Floating 1
SCREENSHOT: Firewall Rules Floating 2
This along with with #5 will block your machine from going to internet

Special thanks to m3ki for all the help
http://forum.pfsense.org/index.php/topic,68191.30.html
http://forum.pfsense.org/index.php/topic,65331.0.html
![OpenVPN Client 1.JPG](/public/imported_attachments/1/OpenVPN Client 1.JPG)
![OpenVPN Client 1.JPG_thumb](/public/imported_attachments/1/OpenVPN Client 1.JPG_thumb)

archedraft · Oct 28, 2013, 7:59 PM

More Screenshots

![OpenVPN Client 2.JPG](/public/imported_attachments/1/OpenVPN Client 2.JPG)
![OpenVPN Client 2.JPG_thumb](/public/imported_attachments/1/OpenVPN Client 2.JPG_thumb)
![System Gateways.JPG](/public/imported_attachments/1/System Gateways.JPG)
![System Gateways.JPG_thumb](/public/imported_attachments/1/System Gateways.JPG_thumb)
![Firewall Rules 1.JPG](/public/imported_attachments/1/Firewall Rules 1.JPG)
![Firewall Rules 1.JPG_thumb](/public/imported_attachments/1/Firewall Rules 1.JPG_thumb)

archedraft · Oct 28, 2013, 8:00 PM

More Screenshots

![Firewall Rules 2.JPG](/public/imported_attachments/1/Firewall Rules 2.JPG)
![Firewall Rules 2.JPG_thumb](/public/imported_attachments/1/Firewall Rules 2.JPG_thumb)
![Firewall NAT Outbound 1.JPG](/public/imported_attachments/1/Firewall NAT Outbound 1.JPG)
![Firewall NAT Outbound 1.JPG_thumb](/public/imported_attachments/1/Firewall NAT Outbound 1.JPG_thumb)

archedraft · Oct 28, 2013, 8:00 PM

More Screenshots

![Firewall NAT Outbound 2.JPG](/public/imported_attachments/1/Firewall NAT Outbound 2.JPG)
![Firewall NAT Outbound 2.JPG_thumb](/public/imported_attachments/1/Firewall NAT Outbound 2.JPG_thumb)
![Firewall Rules Floating 1.JPG](/public/imported_attachments/1/Firewall Rules Floating 1.JPG)
![Firewall Rules Floating 1.JPG_thumb](/public/imported_attachments/1/Firewall Rules Floating 1.JPG_thumb)

archedraft · Oct 29, 2013, 1:19 PM

More Screenshots

![Firewall Rules Floating 2.JPG](/public/imported_attachments/1/Firewall Rules Floating 2.JPG)
![Firewall Rules Floating 2.JPG_thumb](/public/imported_attachments/1/Firewall Rules Floating 2.JPG_thumb)