PIA VPN With IP Based Routing But HTTP and HTTPS is Routed Different

loopy66

Hi.  I have pfSense set up with a VPN to Private Internet Accesss (PIA) and I have it configured so that only certain IPs go over the PIA gateway whislt all others go over the normal WAN.

I have 5 IP addresses set in the Firewall Rules -> LAN area which are pushed out over the PIA gateway and if the source address is not one of those IPs then there is a any/any rule after these rules to send the traffic to the WAN.

This seems to work ok however I did notice loads of traffic going over the PIA when there were no devices on the network connected with the dedicated IPs.  Initially I thought it was keep alives out of control so sorted them out but it wasn't that, it turns out that regardless of IP address any HTTP traffic is pushed out of the PIA gateway.

For example, 192.168.1.20 to 192.168.1.25 are told to go over the PIA regardless and they do.  If I use my laptop on  192.168.1.14 then this should go out the normal WAN and it does for HTTPS traffic when I go to a standard HTTP page/site it goes out over the PIA.  I can't see why.

My set up is that I use the ISP provided router as a wireless access point and physical switch on address 192.168.0.1.  The DMZ is configured on it to the pfSense which has the WAN port 192.168.0.2 and the LAN on 192.168.1.1 covering the network 192.168.1.0/24.

Any ideas why HTTP traffic goes over the PIA regardless of what IP it comes from?

Also  just to add if I disable the VPN service then all traffic goes over the WAN (which is how I want it).

kesawi

If you are using a transparent proxy or have configured your clients to use a proxy on pfSense, then the traffic will appear to pfSense as originating from the firewall, rather than from the LAN or DMZ subnets and will therefore not be subject to the policy based routing firewall rules on these interfaces. If your default gateway is the VPN under System: Gateways then squid will send all traffic through the VPN.

You can configure squid to do policy based routing, however you need to have a static IP for the interface you wish to direct the traffic through.Typically the WAN interface IP is dynamic for most people, whereas a lot of VPN providers I've used issue a static ip for the VPN interface. Therefore unless you have a static WAN IP you should set the default gateway as your WAN. You will need to make sure you select Don't pull routes under the OpenVPN client configuration for your PIA connection, and adjust your firewall rules accordingly.

Assuming you've changed your default gateway to the WAN, you will need to add the following to the end of Custom ACLS (Before Auth) under the advanced features of the squid proxy configuration page to send squid HTTP request for clients 192.1.20 to 192.168.1.25 over the VPN (substitute XXX.XXX.XXX.XXX for the IP address of your PIA VPN interface):

##Send specific source hosts via VPN
acl src_to_vpn src 192.168.1.20/30 192.168.1.24/31
tcp_outgoing_address XXX.XXX.XXX.XXX src_to_vpn

If you have a static WAN IP address and want to keep the VPN as the default gateway then you will need to specify the following instead  (substitute XXX.XXX.XXX.XXX for the IP address of your WAN interface):

##Do not send these source hosts via VPN
acl src_to_vpn src 192.168.1.20/30 192.168.1.24/31
tcp_outgoing_address XXX.XXX.XXX.XXX !src_to_vpn

Alternately disable the Squid proxy.

loopy66

Thank you kesawi, it was squid.  I have disabled it for now and will have a look at implementing the ACLs later.  Thanks again.

trumee

@kesawi:

##Send specific source hosts via VPN
acl src_to_vpn src 192.168.1.20/30 192.168.1.24/31
tcp_outgoing_address XXX.XXX.XXX.XXX src_to_vpn

Is this different from the following option in Squid>General

This above GUI option does not specify the gateway to be used, whereas the code you mentioned does. Any idea where to put your options in Squid 2.3 GUI?