Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PIA VPN With IP Based Routing But HTTP and HTTPS is Routed Different

    Scheduled Pinned Locked Moved OpenVPN
    4 Posts 3 Posters 2.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      loopy66
      last edited by

      Hi.  I have pfSense set up with a VPN to Private Internet Accesss (PIA) and I have it configured so that only certain IPs go over the PIA gateway whislt all others go over the normal WAN.

      I have 5 IP addresses set in the Firewall Rules -> LAN area which are pushed out over the PIA gateway and if the source address is not one of those IPs then there is a any/any rule after these rules to send the traffic to the WAN.

      This seems to work ok however I did notice loads of traffic going over the PIA when there were no devices on the network connected with the dedicated IPs.  Initially I thought it was keep alives out of control so sorted them out but it wasn't that, it turns out that regardless of IP address any HTTP traffic is pushed out of the PIA gateway.

      For example, 192.168.1.20 to 192.168.1.25 are told to go over the PIA regardless and they do.  If I use my laptop on  192.168.1.14 then this should go out the normal WAN and it does for HTTPS traffic when I go to a standard HTTP page/site it goes out over the PIA.  I can't see why.

      My set up is that I use the ISP provided router as a wireless access point and physical switch on address 192.168.0.1.  The DMZ is configured on it to the pfSense which has the WAN port 192.168.0.2 and the LAN on 192.168.1.1 covering the network 192.168.1.0/24.

      Any ideas why HTTP traffic goes over the PIA regardless of what IP it comes from?

      Also  just to add if I disable the VPN service then all traffic goes over the WAN (which is how I want it).

      1 Reply Last reply Reply Quote 0
      • kesawiK
        kesawi
        last edited by

        If you are using a transparent proxy or have configured your clients to use a proxy on pfSense, then the traffic will appear to pfSense as originating from the firewall, rather than from the LAN or DMZ subnets and will therefore not be subject to the policy based routing firewall rules on these interfaces. If your default gateway is the VPN under System: Gateways then squid will send all traffic through the VPN.

        You can configure squid to do policy based routing, however you need to have a static IP for the interface you wish to direct the traffic through.Typically the WAN interface IP is dynamic for most people, whereas a lot of VPN providers I've used issue a static ip for the VPN interface. Therefore unless you have a static WAN IP you should set the default gateway as your WAN. You will need to make sure you select Don't pull routes under the OpenVPN client configuration for your PIA connection, and adjust your firewall rules accordingly.

        Assuming you've changed your default gateway to the WAN, you will need to add the following to the end of Custom ACLS (Before Auth) under the advanced features of the squid proxy configuration page to send squid HTTP request for clients 192.1.20 to 192.168.1.25 over the VPN (substitute XXX.XXX.XXX.XXX for the IP address of your PIA VPN interface):

        ##Send specific source hosts via VPN
        acl src_to_vpn src 192.168.1.20/30 192.168.1.24/31
        tcp_outgoing_address XXX.XXX.XXX.XXX src_to_vpn
        

        If you have a static WAN IP address and want to keep the VPN as the default gateway then you will need to specify the following instead  (substitute XXX.XXX.XXX.XXX for the IP address of your WAN interface):

        ##Do not send these source hosts via VPN
        acl src_to_vpn src 192.168.1.20/30 192.168.1.24/31
        tcp_outgoing_address XXX.XXX.XXX.XXX !src_to_vpn
        

        Alternately disable the Squid proxy.

        1 Reply Last reply Reply Quote 0
        • L
          loopy66
          last edited by

          Thank you kesawi, it was squid.  I have disabled it for now and will have a look at implementing the ACLs later.  Thanks again.

          1 Reply Last reply Reply Quote 0
          • T
            trumee
            last edited by

            @kesawi:

            ##Send specific source hosts via VPN
            acl src_to_vpn src 192.168.1.20/30 192.168.1.24/31
            tcp_outgoing_address XXX.XXX.XXX.XXX src_to_vpn
            

            Is this different from the following option in Squid>General

            This above GUI option does not specify the gateway to be used, whereas the code you mentioned does. Any idea where to put your options in Squid 2.3 GUI?

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.