Forcing certain public networks across vpn from client



  • OK, I've got an odd situation at a client and trying to wrap my head around a solution. I think I may be over-analyzing and would love some feedback/help. =)

    Client has public-facing servers in Amazon AWS and connects to an admin portal that only allows access from the main office IP's. So we need to force traffic destined to those Amazon servers from OpenVPN clients through the office VPN and back out so they are hitting those amazon servers from the office network, like this:

    OpenVPN Client –> VPN Tunnel --> Office LAN --> Amazon AWS Servers

    I don't really want to force all their traffic through the VPN tunnel due to bandwidth concerns, so other traffic will run across their normal connection, with traffic destined to the internal lan as well as those Amazon servers going over the tunnel.

    How should I set this up, via push routes or some other way? I've been searching for threads of similar setup but not finding anything that is similar. Any help would be greatly appreciated. =)


  • LAYER 8 Netgate

    Are the IPs of the AWS servers easy to put into a firewall rule?  You could just push routes for them out to the clients.

    In the diagram in my sig you'd want the Remote Access clients to generally use their own native connections for internet but forward traffic for specific IPs to pfSense A and use pfSense A's normal WAN to access them?

    I can help you with this.



  • @Derelict:

    Are the IPs of the AWS servers easy to put into a firewall rule?  You could just push routes for them out to the clients.

    In the diagram in my sig you'd want the Remote Access clients to generally use their own native connections for internet but forward traffic for specific IPs to pfSense A and use pfSense A's normal WAN to access them?

    I can help you with this.

    Exactly, OpenVPN client connected to pfsense A via vpn tunnel, traffic back out the WAN on pfsense A to the AWS server. All other internet traffic going out through the client's internet gateway. I do have the AWS server IP's. I'm assuming I can just setup a push route to the ip or subnet and that will take care of it?


  • LAYER 8 Netgate



  • @Derelict:

    Please see: https://forum.pfsense.org/index.php?topic=82732.msg473856#msg473856

    Derelict, that was exactly what I needed. I knew I was over analyzing the problem. :) I setup the push routes and tested and it's working perfectly. My only issue right now is the huge range of ip networks AWS uses and it's always changing, but that's a different issue altogether. =)

    Thanks for the clarification!


Log in to reply