1
19.7 Legacy Series / VPN without pull routes enabled
« on: January 08, 2020, 12:07:13 am »
I am trying to use PIA VPN service with "Don't pull routes" checked. With that unchecked it works as expected. My goal is to be able to use firewall aliases/rules to direct what traffic uses the VPN and what doesn't, rather than having all traffic sucked into the VPN. I'm using 19.7.8. I didn't find my answer from reading the many threads on here and PF. I've read the HOW TO thread 4979 at least 4 times.
I created a new VPN client and it connects fine. I then setup an interface for it to name it and left the interface enabled. No other interface settings touched. I also created an alias for PC's to use the VPN and verified the alias in pfTables. I haven't touched the DNS settings, which are pointed to PIA's servers already.
NAT - I have 4 new rules with the new interface. 2 have Source = 127.0.0.0/8 and one of those has destination port = 500 with static port checked. The other 2 new NAT rules have Source = VPN alias list and one is port = 500/static. All 4 are at the top of the list.
On the 2nd two rules, I have experimented with changing the source to LAN net and my LAN interface group. I did that b/c the working VPN's NAT source = (LAN interface group name) net. Neither has worked.
System>Gateways>Single shows the interface as online. I have no Gateway groups yet, though if I can get this working I plan to with multiple VPN client gateways for load balancing & failover.
Firewall>Rules>LAN - At the top of the list I put a pass/in/IPv4 rule with the new VPN client gateway set. I've tried setting source as the VPN alias list, LAN net, Group-name net. I have tried this rule with source variations on the interface group rules too, where I would prefer it be.
I have 3 Floating rules. The top one is pass any direction, IPv4* to destination LAN-group net, with "*" for the source, ports, and gateway. The 2nd is pass any direction IPv4 TCP/UDP to all "*". The 3rd is the same as the 2nd, except ICMP instead of TCP/UDP. I don't recall if or why I set these rules, probably a few years ago. I disabled the top rule with no noticable impact. If I disable the bottom, ICMP rule, my connection cuts in and out every other second. If I disable the middle, TCP/UDP rule, I lose my connection and OPNSense gui. I have to ssh in and reload all services to get the gui back. Sometimes I briefly get the VPN connection after reload, but not consistently. I lose the gui again within a minute or two.
I tried adding a floating rule for the VPN on top of the TCP/UDP rule and got almost the same as disabling the TCP/UDP rule. The difference was that I couldn't get the GUI back by reloading services. I SSHed in and restored a config from 20 minutes prior. That's when I came to ask for help.
Is there a better way to achieve my goal of controlling VPN traffic and disabling pull routes? I don't care if I can't make it work the way I've been trying so long as I can get it to work. Or can someone please identify where I went wrong and teach me how to fix it?
I created a new VPN client and it connects fine. I then setup an interface for it to name it and left the interface enabled. No other interface settings touched. I also created an alias for PC's to use the VPN and verified the alias in pfTables. I haven't touched the DNS settings, which are pointed to PIA's servers already.
NAT - I have 4 new rules with the new interface. 2 have Source = 127.0.0.0/8 and one of those has destination port = 500 with static port checked. The other 2 new NAT rules have Source = VPN alias list and one is port = 500/static. All 4 are at the top of the list.
On the 2nd two rules, I have experimented with changing the source to LAN net and my LAN interface group. I did that b/c the working VPN's NAT source = (LAN interface group name) net. Neither has worked.
System>Gateways>Single shows the interface as online. I have no Gateway groups yet, though if I can get this working I plan to with multiple VPN client gateways for load balancing & failover.
Firewall>Rules>LAN - At the top of the list I put a pass/in/IPv4 rule with the new VPN client gateway set. I've tried setting source as the VPN alias list, LAN net, Group-name net. I have tried this rule with source variations on the interface group rules too, where I would prefer it be.
I have 3 Floating rules. The top one is pass any direction, IPv4* to destination LAN-group net, with "*" for the source, ports, and gateway. The 2nd is pass any direction IPv4 TCP/UDP to all "*". The 3rd is the same as the 2nd, except ICMP instead of TCP/UDP. I don't recall if or why I set these rules, probably a few years ago. I disabled the top rule with no noticable impact. If I disable the bottom, ICMP rule, my connection cuts in and out every other second. If I disable the middle, TCP/UDP rule, I lose my connection and OPNSense gui. I have to ssh in and reload all services to get the gui back. Sometimes I briefly get the VPN connection after reload, but not consistently. I lose the gui again within a minute or two.
I tried adding a floating rule for the VPN on top of the TCP/UDP rule and got almost the same as disabling the TCP/UDP rule. The difference was that I couldn't get the GUI back by reloading services. I SSHed in and restored a config from 20 minutes prior. That's when I came to ask for help.
Is there a better way to achieve my goal of controlling VPN traffic and disabling pull routes? I don't care if I can't make it work the way I've been trying so long as I can get it to work. Or can someone please identify where I went wrong and teach me how to fix it?