dougm
New Around Here
PFSense+OpenVPN: Problems Routing Specific VLAN traffic out VPN
I am running PFSense+ 23.01 (same basic setup as CE 2.6.0) in my home lab. My box is a 2x1gigE port Core-i7 NUC.
Problem is that users on Vlan 4 not able to access internet thru an OpenVPN client tunnel (which connects to a VPN privacy company).
My objective is to properly route internet traffic from Vlan4 - 192.168.4.0/24 on my network (and only that vlan) out through my OpenVPN Provider Company. If OpenVPN tunnel goes down, there will be no internet access for Vlan4 users.
Users on Vlans 2 and 3 are successfully NATted out the WAN connection and the internet is working fine for them using the allow any to any rule.
Users on Vlan 4 can successfully communicate with 2&3 and perform DNS lookups properly by way of the server which lives on Vlan 2. But cannot access or ping any Internet hosts.
I've tinkered with various settings in various places with varying degress of unsuccess - in some cases even breaking the Internet connection for the users on Vlans 2&3 so that all internet access in the house is broken.
Here is how I got to where I am...
First I installed the OpenVPN Client Import package from the PfSense+ repository. I then imported my VPN provider's .ovpn file they gave me. Status / OpenVPN shows the Client Instance is Connected (Success) and has a lovely green checkmark. This ovpn file was also tested working on an Android phone OpenVPN Connect on my standard wi-fi connection via Vlan 2.
Next I created an Interface called OPT4VPNProvider. I Assigned my OpenVPN client Interface to it.
docs.netgate.com
System / Routing / Gateways - There is an Autocreated entry for OPT4VPNProvider_VPNV4 with the interface.
Firewall Rules - added a default All rule for the OpenVPN tab. I also did this in the OPT4VPNProvider interface, although I don't know if this is correct. I tried it with Default and with that Gateway set to the OPT4VPN interface. I would prefer if this doesn't mess up the ability to run an OpenVPN Server on the PFsense+ in the future, which according to the docs the generic OpenVPN tab does have an effect on clients connecting to PFsense.
docs.netgate.com
I have an outbound NAT rule for 192.168.4.0/24 on the OPT4VPNProvider interface. Under Advanced Settings I changed the Gateway to OPT4VPNProvider_VPNV4 - Interface OPT4VPNProvider_VPNV4. I don't even know if this is correct either.
docs.netgate.com
I've tried messing with the OpenVPN Custom Configuration Options I quoted above at https://docs.netgate.com/pfsense/en/latest/vpn/openvpn/configure-custom.html.
These options to Don't Pull Routes/ Don't Add/Remove Routes - don't seem to make a difference. I want to use On-Prem DNS so I left that box unchecked.
I'm kind of at a loss here. Any suggestions or help would be awesome.
I am running PFSense+ 23.01 (same basic setup as CE 2.6.0) in my home lab. My box is a 2x1gigE port Core-i7 NUC.
Problem is that users on Vlan 4 not able to access internet thru an OpenVPN client tunnel (which connects to a VPN privacy company).
My objective is to properly route internet traffic from Vlan4 - 192.168.4.0/24 on my network (and only that vlan) out through my OpenVPN Provider Company. If OpenVPN tunnel goes down, there will be no internet access for Vlan4 users.
Users on Vlans 2 and 3 are successfully NATted out the WAN connection and the internet is working fine for them using the allow any to any rule.
Users on Vlan 4 can successfully communicate with 2&3 and perform DNS lookups properly by way of the server which lives on Vlan 2. But cannot access or ping any Internet hosts.
I've tinkered with various settings in various places with varying degress of unsuccess - in some cases even breaking the Internet connection for the users on Vlans 2&3 so that all internet access in the house is broken.
Here is how I got to where I am...
First I installed the OpenVPN Client Import package from the PfSense+ repository. I then imported my VPN provider's .ovpn file they gave me. Status / OpenVPN shows the Client Instance is Connected (Success) and has a lovely green checkmark. This ovpn file was also tested working on an Android phone OpenVPN Connect on my standard wi-fi connection via Vlan 2.
Next I created an Interface called OPT4VPNProvider. I Assigned my OpenVPN client Interface to it.
Assigning OpenVPN Interfaces | pfSense Documentation
System / Routing / Gateways - There is an Autocreated entry for OPT4VPNProvider_VPNV4 with the interface.
Firewall Rules - added a default All rule for the OpenVPN tab. I also did this in the OPT4VPNProvider interface, although I don't know if this is correct. I tried it with Default and with that Gateway set to the OPT4VPN interface. I would prefer if this doesn't mess up the ability to run an OpenVPN Server on the PFsense+ in the future, which according to the docs the generic OpenVPN tab does have an effect on clients connecting to PFsense.
OpenVPN Firewall Rules | pfSense Documentation
I have an outbound NAT rule for 192.168.4.0/24 on the OPT4VPNProvider interface. Under Advanced Settings I changed the Gateway to OPT4VPNProvider_VPNV4 - Interface OPT4VPNProvider_VPNV4. I don't even know if this is correct either.
OpenVPN clients and Internet Access | pfSense Documentation
I've tried messing with the OpenVPN Custom Configuration Options I quoted above at https://docs.netgate.com/pfsense/en/latest/vpn/openvpn/configure-custom.html.
These options to Don't Pull Routes/ Don't Add/Remove Routes - don't seem to make a difference. I want to use On-Prem DNS so I left that box unchecked.
I'm kind of at a loss here. Any suggestions or help would be awesome.
Last edited:
