What I'm trying to do:
Have a single VLAN on my network who's traffic goes though public VPN provider?
Issue I'm running into:
When the VPN is connected the traffic from the VPN VLAN can reach the internet over the VPN (IP resolves to the VPN provider) all other traffic from other VLANs can not reach the internet. Intranet is unaffected.
What I'v done:
I've setup an OpenVPN client VPN -> OpenVPN -> Instances, all settings match ovpn file provided by VPN service. Additional there are no routes configured for local or remote. I've verified the connection success via logs. It successfully creates 2 gateways (System->Gateways->Configuration) one for IPv4 and 6. I "disconnected" both of those gateways so they are not added to the default gateway pool, additionally neither are marked as upstream.
I created 2 new interfaces, VPN_GW and VPN. VPN_GW is assigned to the ovpnc1 created by the OpenVPN client. VPN is a VLAN, it additionally has DHCP enabled via Unbound. 2 firewall rules one to allow intranet traffic to my intranet CIDR. 2nd to allow all IPv4 (TCP/UDP) with gateway set to the to the IPv4 OpenVPN gateway.
Set NAT to hybrid (Firewall->NAT->Outbound) and added 2 NAT rules for outbound VPN traffic. One is for static destination port 500 the second for all. Interface: VPN_GW Source: VPN, net, NAT Address VPN_GW Address.
With all this configured and the VPN connection disconnected traffic on all my VLANs aside from VLAN can reach the intra and internet fine and show as using my ISP IP. When I enable the VPN connection all traffic on those VLANs can no longer reach the intranet (although I can ping my ISP GW IP) intranet is fine. The behavior for the VPN VLAN is as expected with the VPN disconnected intranet traffic fails, with it on it succeeds and shows the VPN IP as the source.
I'm kinda at a loss as to why this is occurring and have tried several things to fix the issue. One thing that has worked is on one VLAN I changed the last pass everything rule to not use the Gateway: default but instead use WAN_GW (the ISP gateway). This worked although I don't understand why as default should be that gateway anyway I'm also hesitant to change several dozen firewall rules to use a specific gateway when everything I've read said default should work.
Additionally I'm confused as to why I can still reach my ISP GW but not anything beyond it. I suspect but can't prove that the traffic may be making it out of my network but can't be routed back to the source for whatever reason. I could set up an external server to see if it is able to receive the inbound connections but have not had a chance to do so.
Any help would be appreciated, I wouldn't be surprised to see it being one small thing I've missed, as is tradition.
			
			
			
				Go to the OpenVPN client settings and select the option "route-nopull".
Then policy-route upstream traffic from your VLAN to the VPN server.
			
			
			
				Thanks viragomann that was exactly the issue. Added route-nopull and everything started working as expected.