Force a group to use OpenVPN for Internet

charlien · Mar 26, 2014, 3:09 PM

I have set up a VPN to Private Internet Access. It works and I have created an interface using this tunnel.

I went to Firewall: Nat :Outbound and changed it to Manual. I don't know why but I saw someone else do it.

I created three Firewall rules in the LAN tab.
First rule allows all traffic from my alias to use the gateway that uses the VPN.
Second rule rejects all traffic from my alias to the WAN gateway.
Third rule allows all traffic to use the WAN gateway.

I want all outbound traffic from the alias to use the VPN and be blocked if the tunnel goes down. It works, however when I disable the VPN to test it any PC in the alias group will pause for a while and eventually start to use the WAN interface. How can I stop them from doing that?

I'm so close….

phil.davis · Mar 28, 2014, 3:55 PM

System: Advanced: Miscellaneous
Skip rules when gateway is down - By default, when a rule has a specific gateway set, and this gateway is down, rule is created and traffic is sent to default gateway.This option overrides that behavior and the rule is not created when gateway is down

Check that box - pfSense is too nice, and when the target gateway is down it changes the rule to just pass the traffic to the dwefault routing table (= out the default WAN in most cases). This box disables that "niceness".

phil.davis · Mar 28, 2014, 4:02 PM

I went to Firewall: Nat :Outbound and changed it to Manual. I don't know why but I saw someone else do it.

On 2.1, Automatic Outbound NAT rules do get generated on OpenVPN client interfaces out to a VPN provider. But there is a "feature" that if you select Manual Outbound NAT, the code there does generate the rules, you press save, and bingo, a free set of outbound NAT rules for your outgoing VPN link.
The behaviour was inconsistent. Doing what you did helps your situation, but not everybody wants/needs rules on all outgoing OpenVPN clients.

The behaviour has been made consistent in 2.1.1 by this change: https://github.com/pfsense/pfsense/commit/e538fc18448bc2444ea3dce995aa90b717459043

In 2.1.1 you will need to enable Manual Outbound NAT, and then add the extra rules you need.

From 2.2 onwards you can have "hybrid" outbound NAT - keep letting the system generate the automatic outbound NAT rules, and add some of your own.

charlien · Mar 28, 2014, 6:45 PM

@phil.davis:

System: Advanced: Miscellaneous
Skip rules when gateway is down - By default, when a rule has a specific gateway set, and this gateway is down, rule is created and traffic is sent to default gateway.This option overrides that behavior and the rule is not created when gateway is down

Check that box - pfSense is too nice, and when the target gateway is down it changes the rule to just pass the traffic to the dwefault routing table (= out the default WAN in most cases). This box disables that "niceness".

That fixed it. It seemed like it was some type of failover because it wasn't immediate. I looked and looked but was in the wrong area. Thanks for the help!