Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN & Default gateway not acting as expected, traffic ONLY routes via VPN

    Scheduled Pinned Locked Moved OpenVPN
    7 Posts 2 Posters 2.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I
      imanz
      last edited by

      Hello Everyone,

      I am running 2.1.5 Release of PFsense and have configured OpenVPN with a PIA account. The OpenVPN connection seems to be working correctly, I am getting an IP address however it seems all traffic goes out only the OpenVPN interface. Here is the breakdown:
      1. Two subnets, LAN: 192.168.1.0/24 and 192.168.100.0/24
      2. Default gateway should be NONE vpn connection for MOST traffic unless specified
      3. 3 IP addresses on 192.168.1.0/24 should go out to the internet via the OPENVPN gateway
      4. 192.168.1.0/24 can access the 192.168.100.0/24 subnet
      5. 192.168.100.0/24 can only access 6 IPs on the 192.168.1.0/24 subnet

      Here are the configurations:
      Firewall -> Alias:
      MediaService- IP: 192.168.1.220,192.168.1.221,192.168.1.222,192.168.1.223,192.168.1.224,192.168.1.225,192.168.1.226

      VPN_Gateway: 192.168.1.223,192.168.1.220,192.168.1.225

      System -> Gateways:
      OpenVPN_VPN4- Interface: OPENVPN
      WAN_DHCP -Interface: WAN (Set as default)

      Firewall -> Rules:
      Interface LAN (192.168.1.0/24 subnet)
      IPV4 *    VPN_GATEWAY  *    *    * OPENVPN_VPNV4 NONE
      IPv4 LAN NET  *  * * * NONE
      IPV4 192.168.100.0/24 * * * * NONE

      Interface OPT1(192.168.100.1/24 subnet)
      IPv4 * * * * * none

      Interface OPENVPN (openvpn interface for PIA)
      none

      Firewall -> NAT -> Outbound
      WAN 192.168.1.0/24 * * 500 WAN address * YES
      OPENVPN 192.168.1.0/24 * * 500 OPENVPN address * NO

      WAN 192.168.1.0/24 * * * WAN address * NO
      OPENVPN 192.168.1.0/24 * * * OpenVPN address * NO

      WAN 192.168.100.0/24 * * 500 WAN address * YES
      OPENVPN 192.168.100.0/24 * * 500 OPENVPN address * NO

      WAN 192.168.100.0/24 * * * WAN address * NO
      OPENVPN 192.168.100.0/24 * * * OpenVPN address * NO

      Question!

      Here is the problem I am experiancing, if I am on my machine on 192.168.1.20, and I disable all firewall rules on the LAN subnet, and only enable a rule with all "*" ie, * * * * * * *, and not setting a subnet (leaving that setting untouched), going to a website on the internet will show that my IP address is that of the VPN, my understanding however is that this should not be the case. Should I not have still be using my default address unless specifically set in the gateway?

      I have also tried to explicitly put alias: MediaService using a firewall rule with a gateway of OPENVPN and a * * * * * under it WITHOUT a gateway set, but even traffic outside of this alias still seems to be going to the VPN.

      I then tried to set 2 firewall rule, alias: MediaService * * * * OpenVPN gateway and 192.168.100.55 * * * * WAN gateway. In this case, MediaService is going out to the internet on the openvpn and 192.168.1.55 is going to the internet on my regular IP, but they cannot communicate to each other at all. I am assuming because 192.168.100.55 is on a different subnet and it does not get to the next rule allowing it on the other subnet? Does anyone have any ideas how to make this work, please let me know if you need more information.

      1 Reply Last reply Reply Quote 0
      • W
        Wolf666
        last edited by

        Check PIA server logs, they are sure pulling "redirect-gateway def1" so all your lan traffic will be routed to VPN. In order to avoid it you must use "route-nopull" in your client custom options. In this way you will get control of your route policy.

        https://community.openvpn.net/openvpn/wiki/IgnoreRedirectGateway

        Modem Draytek Vigor 130
        pfSense 2.4 Supermicro A1SRi-2558 - 8GB ECC RAM - Intel S3500 SSD 80GB - M350 Case
        Switch Cisco SG350-10
        AP Netgear R7000 (Stock FW)
        HTPC Intel NUC5i3RYH
        NAS Synology DS1515+
        NAS Synology DS213+

        1 Reply Last reply Reply Quote 0
        • I
          imanz
          last edited by

          Wow.. thank you! What is even the benefit of that having to be an option instead of a default? Side question, am I under the correct understanding that it obviously does not matter the gateway of my clients, internally (even across subnets) they should be still able to communicate as they are obviously not even reaching that gateway?

          Lastly, I am not sure if this matters but 192.168.100.0/24 is a wireless network connected to a wireless router on its own interface off the pfsense box. That router is configured as a straight access point.. I was attempting to diagnose this issue and my firewall seems to think any website/traffic going TO and FROM my wireless network is to/from 224.0.0.1 IGMP traffic. I understand the basic idea of a multicast address, but why is this traffic being treated this way? Does this have anything to do with my internal traffic not acting as expected?

          1 Reply Last reply Reply Quote 0
          • I
            imanz
            last edited by

            One thing worth to note, there are other sections of my network not mentioned as I did not think they were relevant, I am using VLANs but not on any of the mentioned subnets. The reason I believe the multicast has something to do with the issue is due to the following setup, btw I have changed the Openvpn configured you mentioned and without setting a gateway on the interface it is now using my internet (partial success!)

            I set the following rules: (alias VPN_GATWAY: 192.168.1.220 & 192.168.1.225)
            LAN (192.168.1.0/24):
            192.168.100.0/24 * * * * none
            VPN_GATEWAY * LAN NET * * none
            VPN_GATEWAY * * * OPENVPN none
            LAN NET * * * * none

            OPT1 (192.168.100.0/24)
            OPT1 net * * * * none
            LAN NET * * * * none

            OPENVPN (vpn interface)
            VPN_GATEWAY * * * OpenVPN

            192.168.1.0/24 can access the internet not on VPN (vpn for VPN_GATEWAY alias), 192.168.100.0/24 can access the internet none vpn as desired. 192.168.100.0/24 can access all clients on the 192.168.1.0/24 network EXCEPT the ones in VPN_GATEWAY (the ones that are using the VPN for internet). Is it because 192.168.100.0/24 is because a wireless access point thus using the multicast addressing?

            1 Reply Last reply Reply Quote 0
            • W
              Wolf666
              last edited by

              I don't undestand your network.

              But you should set Outbound NAT:

              VPN_WAN Alias_1 * * * VPN_WAN address * NO VPN -> VPN_WAN

              WAN Alias_2 * * * WAN address * NO LAN to WAN

              Where Alias_1 are those clients you want to go to VPN.

              Firewall rule on relevat interfces TAB

              IPv4 * Alias_1 * * * VPN_WAN_GW none

              This rule impose Alias_1 to use VPN_WAN_GW (your VPN provider gateway).

              Normally after authentication, your VPN provider assigns 2 IPs as end-start points of the tunnel, you have the start point and your gateway is the end point on the server of your provider.

              Check here: http://www.bodenzord.com/archives/324

              Modem Draytek Vigor 130
              pfSense 2.4 Supermicro A1SRi-2558 - 8GB ECC RAM - Intel S3500 SSD 80GB - M350 Case
              Switch Cisco SG350-10
              AP Netgear R7000 (Stock FW)
              HTPC Intel NUC5i3RYH
              NAS Synology DS1515+
              NAS Synology DS213+

              1 Reply Last reply Reply Quote 0
              • I
                imanz
                last edited by

                Thank you for taking the time to respond! Sorry about not getting back to you earlier. I drew a crude diagram of my network (by hand sorry!) here: http://imgur.com/o19Z0XC

                I have excluded a few parts just to simply for now. I would like only two IPs, 192.168.1.220 & 192.168.1.225 to access the internet though the VPN connection, while all other clients to use the regular wan. However, I would like all clients from both 192.168.100.0/24 and 192.168.1.0/24 to access those two clients locally. I checked the link you sent and my VPN configuration is identical to what you linked only I have added the additional binding setting you recommended earlier. My problem is that clients using the VPN cannot communicate to none VPN clients and vise versa, I apologize but I do not completely understand what you meant in the last post regarding start/end point of the tunnel, it seems that PIA is assigning (or it auto assigns) a single IP in the 10.X range…

                Let me know if more information is needed, thank you!

                1 Reply Last reply Reply Quote 0
                • W
                  Wolf666
                  last edited by

                  Ok, it should be easy.

                  Create Alias_VPN inserting 192.168.1.220 & 192.168.1.225.
                  Create Alias_LAN with 192.168.100.0/24 and 192.168.1.0/24

                  I assume you have used the "route-nopull" option, you have 2 Gateway, 1 for clear net and 1 other for the VPN tunnel.

                  I should start with Manual Outbound NAT with 2 simple rule:

                  VPN_WAN      Alias_VPN  *  *  *  VPN_WAN address  *  NO

                  WAN      Alias_LAN  *  *  *  WAN address  *  NO

                  Then you should build the firewall rules, the order is important, the rules are processed in top-down order, the first which meets all conditions is applied.

                  Firewall rule on interfce 192.168.1.0/24 TAB

                  PASS –- IPv4 *  Alias_VPN  *  *  *  VPN_WAN_GW  none  //IPs in Alias_VPN will use gateway VPN_WAN_GW (or whatever you named)//
                  PASS --- IPv4 *  Alias_LAN  *  *  *  *  none  //IPs in Alias_LAN are allowed and will use default gateway, this rule should allow communication between clients on different subnets)

                  Firewall rule on interface 192.168.100.0/24 TAB
                  PASS --- IPv4 *  Alias_VPN  *  *  *  VPN_WAN_GW  none  //IPs in Alias_VPN will use gateway VPN_WAN_GW (or whatever you named)//
                  PASS --- IPv4 *  Alias_LAN  *  *  *  *  none  //IPs in Alias_LAN are allowed and will use default gateway, this rule should allow communication between clients on different subnets)

                  Let me know if works.

                  Modem Draytek Vigor 130
                  pfSense 2.4 Supermicro A1SRi-2558 - 8GB ECC RAM - Intel S3500 SSD 80GB - M350 Case
                  Switch Cisco SG350-10
                  AP Netgear R7000 (Stock FW)
                  HTPC Intel NUC5i3RYH
                  NAS Synology DS1515+
                  NAS Synology DS213+

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.