OpenVPN & Default gateway not acting as expected, traffic ONLY routes via VPN



  • Hello Everyone,

    I am running 2.1.5 Release of PFsense and have configured OpenVPN with a PIA account. The OpenVPN connection seems to be working correctly, I am getting an IP address however it seems all traffic goes out only the OpenVPN interface. Here is the breakdown:
    1. Two subnets, LAN: 192.168.1.0/24 and 192.168.100.0/24
    2. Default gateway should be NONE vpn connection for MOST traffic unless specified
    3. 3 IP addresses on 192.168.1.0/24 should go out to the internet via the OPENVPN gateway
    4. 192.168.1.0/24 can access the 192.168.100.0/24 subnet
    5. 192.168.100.0/24 can only access 6 IPs on the 192.168.1.0/24 subnet

    Here are the configurations:
    Firewall -> Alias:
    MediaService- IP: 192.168.1.220,192.168.1.221,192.168.1.222,192.168.1.223,192.168.1.224,192.168.1.225,192.168.1.226

    VPN_Gateway: 192.168.1.223,192.168.1.220,192.168.1.225

    System -> Gateways:
    OpenVPN_VPN4- Interface: OPENVPN
    WAN_DHCP -Interface: WAN (Set as default)

    Firewall -> Rules:
    Interface LAN (192.168.1.0/24 subnet)
    IPV4 *    VPN_GATEWAY  *    *    * OPENVPN_VPNV4 NONE
    IPv4 LAN NET  *  * * * NONE
    IPV4 192.168.100.0/24 * * * * NONE

    Interface OPT1(192.168.100.1/24 subnet)
    IPv4 * * * * * none

    Interface OPENVPN (openvpn interface for PIA)
    none

    Firewall -> NAT -> Outbound
    WAN 192.168.1.0/24 * * 500 WAN address * YES
    OPENVPN 192.168.1.0/24 * * 500 OPENVPN address * NO

    WAN 192.168.1.0/24 * * * WAN address * NO
    OPENVPN 192.168.1.0/24 * * * OpenVPN address * NO

    WAN 192.168.100.0/24 * * 500 WAN address * YES
    OPENVPN 192.168.100.0/24 * * 500 OPENVPN address * NO

    WAN 192.168.100.0/24 * * * WAN address * NO
    OPENVPN 192.168.100.0/24 * * * OpenVPN address * NO

    Question!

    Here is the problem I am experiancing, if I am on my machine on 192.168.1.20, and I disable all firewall rules on the LAN subnet, and only enable a rule with all "*" ie, * * * * * * *, and not setting a subnet (leaving that setting untouched), going to a website on the internet will show that my IP address is that of the VPN, my understanding however is that this should not be the case. Should I not have still be using my default address unless specifically set in the gateway?

    I have also tried to explicitly put alias: MediaService using a firewall rule with a gateway of OPENVPN and a * * * * * under it WITHOUT a gateway set, but even traffic outside of this alias still seems to be going to the VPN.

    I then tried to set 2 firewall rule, alias: MediaService * * * * OpenVPN gateway and 192.168.100.55 * * * * WAN gateway. In this case, MediaService is going out to the internet on the openvpn and 192.168.1.55 is going to the internet on my regular IP, but they cannot communicate to each other at all. I am assuming because 192.168.100.55 is on a different subnet and it does not get to the next rule allowing it on the other subnet? Does anyone have any ideas how to make this work, please let me know if you need more information.



  • Check PIA server logs, they are sure pulling "redirect-gateway def1" so all your lan traffic will be routed to VPN. In order to avoid it you must use "route-nopull" in your client custom options. In this way you will get control of your route policy.

    https://community.openvpn.net/openvpn/wiki/IgnoreRedirectGateway



  • Wow.. thank you! What is even the benefit of that having to be an option instead of a default? Side question, am I under the correct understanding that it obviously does not matter the gateway of my clients, internally (even across subnets) they should be still able to communicate as they are obviously not even reaching that gateway?

    Lastly, I am not sure if this matters but 192.168.100.0/24 is a wireless network connected to a wireless router on its own interface off the pfsense box. That router is configured as a straight access point.. I was attempting to diagnose this issue and my firewall seems to think any website/traffic going TO and FROM my wireless network is to/from 224.0.0.1 IGMP traffic. I understand the basic idea of a multicast address, but why is this traffic being treated this way? Does this have anything to do with my internal traffic not acting as expected?



  • One thing worth to note, there are other sections of my network not mentioned as I did not think they were relevant, I am using VLANs but not on any of the mentioned subnets. The reason I believe the multicast has something to do with the issue is due to the following setup, btw I have changed the Openvpn configured you mentioned and without setting a gateway on the interface it is now using my internet (partial success!)

    I set the following rules: (alias VPN_GATWAY: 192.168.1.220 & 192.168.1.225)
    LAN (192.168.1.0/24):
    192.168.100.0/24 * * * * none
    VPN_GATEWAY * LAN NET * * none
    VPN_GATEWAY * * * OPENVPN none
    LAN NET * * * * none

    OPT1 (192.168.100.0/24)
    OPT1 net * * * * none
    LAN NET * * * * none

    OPENVPN (vpn interface)
    VPN_GATEWAY * * * OpenVPN

    192.168.1.0/24 can access the internet not on VPN (vpn for VPN_GATEWAY alias), 192.168.100.0/24 can access the internet none vpn as desired. 192.168.100.0/24 can access all clients on the 192.168.1.0/24 network EXCEPT the ones in VPN_GATEWAY (the ones that are using the VPN for internet). Is it because 192.168.100.0/24 is because a wireless access point thus using the multicast addressing?



  • I don't undestand your network.

    But you should set Outbound NAT:

    VPN_WAN Alias_1 * * * VPN_WAN address * NO VPN -> VPN_WAN

    WAN Alias_2 * * * WAN address * NO LAN to WAN

    Where Alias_1 are those clients you want to go to VPN.

    Firewall rule on relevat interfces TAB

    IPv4 * Alias_1 * * * VPN_WAN_GW none

    This rule impose Alias_1 to use VPN_WAN_GW (your VPN provider gateway).

    Normally after authentication, your VPN provider assigns 2 IPs as end-start points of the tunnel, you have the start point and your gateway is the end point on the server of your provider.

    Check here: http://www.bodenzord.com/archives/324



  • Thank you for taking the time to respond! Sorry about not getting back to you earlier. I drew a crude diagram of my network (by hand sorry!) here: http://imgur.com/o19Z0XC

    I have excluded a few parts just to simply for now. I would like only two IPs, 192.168.1.220 & 192.168.1.225 to access the internet though the VPN connection, while all other clients to use the regular wan. However, I would like all clients from both 192.168.100.0/24 and 192.168.1.0/24 to access those two clients locally. I checked the link you sent and my VPN configuration is identical to what you linked only I have added the additional binding setting you recommended earlier. My problem is that clients using the VPN cannot communicate to none VPN clients and vise versa, I apologize but I do not completely understand what you meant in the last post regarding start/end point of the tunnel, it seems that PIA is assigning (or it auto assigns) a single IP in the 10.X range…

    Let me know if more information is needed, thank you!



  • Ok, it should be easy.

    Create Alias_VPN inserting 192.168.1.220 & 192.168.1.225.
    Create Alias_LAN with 192.168.100.0/24 and 192.168.1.0/24

    I assume you have used the "route-nopull" option, you have 2 Gateway, 1 for clear net and 1 other for the VPN tunnel.

    I should start with Manual Outbound NAT with 2 simple rule:

    VPN_WAN      Alias_VPN  *  *  *  VPN_WAN address  *  NO

    WAN      Alias_LAN  *  *  *  WAN address  *  NO

    Then you should build the firewall rules, the order is important, the rules are processed in top-down order, the first which meets all conditions is applied.

    Firewall rule on interfce 192.168.1.0/24 TAB

    PASS –- IPv4 *  Alias_VPN  *  *  *  VPN_WAN_GW  none  //IPs in Alias_VPN will use gateway VPN_WAN_GW (or whatever you named)//
    PASS --- IPv4 *  Alias_LAN  *  *  *  *  none  //IPs in Alias_LAN are allowed and will use default gateway, this rule should allow communication between clients on different subnets)

    Firewall rule on interface 192.168.100.0/24 TAB
    PASS --- IPv4 *  Alias_VPN  *  *  *  VPN_WAN_GW  none  //IPs in Alias_VPN will use gateway VPN_WAN_GW (or whatever you named)//
    PASS --- IPv4 *  Alias_LAN  *  *  *  *  none  //IPs in Alias_LAN are allowed and will use default gateway, this rule should allow communication between clients on different subnets)

    Let me know if works.


Log in to reply