Hi all,
Environment
• OPNSense 20.7.8_4
• FreeBSD 12.1-RELEASE-p12-HBSD
• Few computers
• OpenVPN client to my VPN provider
• Edit: all traffic from LAN to Internet goes via OpenVPN client.
Everything works perfect.
Change
Suddenly I want to bypass VPN for a traffic from a single LAN computer to a single IP address on internet (for this example it is 104.16.154.36 - whatismyipaddress.com).
Port: any.
Protocol: any.
I added a LAN rule (Edit: Firewall rule, Inbound)
My rule is called "DescZa" and (theoretically) should redirect desired traffic to my gateway IP GW_WAN.
I put the rule on top of other LAN rules.
Rule is active.
Rule's logging is set to "On".
See: https://imgur.com/a/snoU0rQ (https://imgur.com/a/snoU0rQ) - image 1 - Rules
Problem
My rule is "ignored".
Instead, "Default allow LAN to any rule" is triggered, as it is always.
This rule is lower on hierarchy of rules.
See: https://i.imgur.com/iponW5T.png (https://i.imgur.com/iponW5T.png) - image 2 - Firewall logs
Question
What am I doing wrong?
Edit: I later tried adding "WAN" and "OpenVPN" interface rules by same principle, it's always the same result - my rule is "ignored".
Thanks in advance
BR
Emi
Apply the rule IN rather than OUT
This is "IN" rule.
Edit: I just tried "OUT" instead "IN" - this error appeared when saving rule:
The following input errors were detected:
Policy based routing (gateway setting) is only supported on inbound rules.
Ah, so it is, it was hard to see in the image in mobile
Thanks for comment - I edited original post and added "Inbound".
Does the source IP address / subnet in the rule match the source IP address in the log? Can't tell from the screenshots. Everything else looks okay.
Cheers
Maurice
Thanks,
yes, both source and destination IP addresses in logs are correct.
OK, so OPNsense is unable to create a bypass connection from one computer on LAN to one IP address on internet.
Is there any other option I can use or OPNsense is not able to bypass VPNClient connection at all?
I don't know if this information helps you, but i can tell you that it is possible to bypass the VPN client for a specific destination IP address (like 104.16.154.36 in your example).
My configuration contains such exceptions and this works. Most of my firewall rules are explicitly using the VPN gateway. My exception rules' gateway is set to "default", which leads to the WAN gateway.
Edit, copy/paste from another thread (https://forum.opnsense.org/index.php?topic=22466 (https://forum.opnsense.org/index.php?topic=22466)):
Quote
In my OpenVPN configuration i have "Don't pull routes" disabled and "Don't add/remove routes" enabled. I don't know if that makes sense, but i'm glad it works and i don't want to touch it ;-)