Cannot get internet connectivity for LAN and VPN_LAN clients at the same time

  • I am trying to configure my first pfSense 2.2.2 install, but running into trouble with the routing of traffic when the openvpn client is configured. Basically, if I enable the VPN client, all devices in the VPN LAN have internet access, while devices in my normal LAN don't, and vice-versa. It seems that the vpn client alters the pfsense routing table, from a server push request, to force ALL traffic through the vpn_wan gateway, but if I select the -nopull option to stop that, the LAN traffic can pass out the WAN, but the LAN_VPN has no route out anymore!

    What I am trying to do is the following:

    • Three local LANS.
          - LAN:
          - LAN_VPN: (VPN client net)
          - VPN_LAN: (Remote Access clients net)

    • LAN traffic reaches internet through WAN.

    • LAN_VPN traffic reaches internet through VPN_WAN.

    • Local traffic can pass between LAN, LAN_VPN, & Remote Access clients.

    • DNS resolver is used for LAN only.

    • LAN_VPN uses external DNS through VPN tunnel, assigned by interface.

    Basically I have tried to follow the following guides without much luck: &

    Can anybody provide any guidance, based on the attached pics of my config??

    Much appreciated.

    Edit: Network diagram

    NAT Outbound:

    LAN Rules:

    LAN_VPN Rules:


    -nopull Routing Table:

  • when using the -nopull option, you need to assign an interface to your openvpn instance (interfaces–>assign--><+>-->ovpncx)

    then goto interfaces-->optx--> set type to 'none' ---> save
    you should now have a gateway / if you don't create a gateway for the optx interface.
    use the gateway in your vpn_lan firewall rules

    oh yeah, you probably need to create some 'PASS' rules on the optx interface and if you have manual NAT, you'd have to sort that too

  • Thanks heper.

    I think I already have that interface, named VPN_WAN, which i identify in NAT and lan_vpn already right?
    If I add PASS rules on the VPN_WAN gateway, wouldn't that be only for inbound connections from the internet?? Currently I just have a block all rule…
    See attached pics for VPN_WAN gateway and firewall details.

    ![2015-05-25 08.13.47.jpg](/public/imported_attachments/1/2015-05-25 08.13.47.jpg)
    ![2015-05-25 08.13.47.jpg_thumb](/public/imported_attachments/1/2015-05-25 08.13.47.jpg_thumb)

  • Bump.

    So referencing my LAN_VPN rules i have attached, what do I need to change to route that lan out the VPN WAN??

  • LAYER 8 Netgate

    This is too much for me to want to process (sans compensation) without an accurate, detailed network diagram.

  • @Derelict:

    This is too much for me to want to process (sans compensation) without an accurate, detailed network diagram.

    Diagram added.

  • LAYER 8 Netgate

    There is no reason to set the gateway on your LAN rules to WAN_PPPOE.  Set it back to default.  If you REALLY need to policy route everything out WAN_PPPOE, you need to bypass policy routing for everything that needs to route elsewhere, such as traffic from LAN to LAN_VPN.

    With one WAN there is no reason to use policy routing.  Set it to default.  Note that you also need to bypass policy routing on LAN_VPN if you want those hosts to be able to access any "local" resources like LAN.

    What is in the VPN_DNS alias?

    Are you sure you are having a traffic routing problem or a DNS problem?  I am not sure about the policy routing out the VPN with the /32 routes in the table for and since you have those name servers "glued" to WAN_PPPOE in pfSense and you're trying to policy route the same DNS servers (Those are the servers you're giving to LAN_VPN clients via DHCP).

    For instance, with the VPN connection up can you ping from Host A2?

  • Derelict, thanks for providing some help here. I have updated the pics in my original post to reflect some changes, as directed by yourself.

    Unfortunately, I still cannot get Internet connectivity out the VPN subnet, while using the -nopull option. I updated the monitor IP for the VPN_WAN gateway to, and interestingly that allows me to ping that particular IP out the VPN, but nothing else. i.e. I cannot ping from the LAN_VPN subnet unless I set it to be the monitor IP for the VPN_WAN gateway.


    What is in the VPN_DNS alias?

    This was just and alias for &

    Any other hints or advice?

  • LAYER 8 Netgate

    You don't have any old IPsec configs or anything covering do you?

  • @Derelict:

    You don't have any old IPsec configs or anything covering do you?

    Nope. This is a fresh install with openvpn only.

  • LAYER 8 Netgate

    Don't know, dude.  It works every time I do it.

Log in to reply