OPNsense Forum

English Forums => General Discussion => Topic started by: intrepid2007 on December 25, 2016, 01:55:28 am

Title: route LAN traffic to VPN connection _or_ WAN (direct to internet connection)
Post by: intrepid2007 on December 25, 2016, 01:55:28 am
Hello,

I am new to OpnSense and I recently started playing with it to see what it's possibilities are...
The software runs on a mini-pc with 2 NIC's (a LAN port and WAN port).

My goal is to configure the router in such a way that it routes LAN traffic to:

1. a VPN connection _

_or_

2. to the WAN (direct)

depending on the IP address of the device in the LAN.

First of all I'd like to know if that's possible, because until now I can't get it to work like that....
The documentation of OpnSense is rather rudimentary for beginners like me, so I am kind of stuck here....

My setup:

LAN IP mini pc : static (10.0.0.1/8), DHCP server is enabled
WAN IP mini pc: DHCP (192.168.1.13)

Also configured is an OPT1 interface (VPN client connection)

The WAN port is connected to the DSL modem (IP=192.168.1.254)
The LAN port is connected to my laptop (IP=10.0.0.100)

I have been playing with these settings:

In [Firewall -> Rules] I have defined two rules in LAN:
IPv4 TCP/UDP    *    *    *    53 (DNS)    *       'DNS'
IPv4 *    *    *    10.0.0.100/8    *    WAN_DHCP  'LAN to WAN'
IPv4 *    *    *    10.0.0.101/8    *    OPT1_VPNV4  'LAN to VPN'

In [Firewall -> NAT -> Outbound] I have defined two entries:
OPT1    any     *    *    *    OPT1 address    *    NO
WAN    any     *    *    *    WAN address    *    NO

I am not sure if I am in the right direction....
Any ideas on how I could get this to work?


Thanks!
Title: Re: route LAN traffic to VPN connection _or_ WAN (direct to internet connection)
Post by: intrepid2007 on December 26, 2016, 10:58:42 pm
After several days of experimenting, I think I finally got it figured out (it appears to be working now  :) )....

For those that are interested, I explain what I have changed....

It appears that if you want to specify a specific IP address for routing, you need to use a mask of <255.255.255.255> (/32).

In Firewall --> Rules:
IPv4 *    10.0.0.100    *    *    *    OPT1_VPNV4       Allow LAN to VPN
IPv4 *    10.0.0.99     *    *    *    WAN_DHCP         Allow LAN to WAN


These 2 rules do the 'magic' here:
- Traffic from LAN device with IP=10.0.0.99 is routed to VPN,
- Traffic from LAN device with IP=10.0.0.100 is routed to WAN (direct)

One thing I noticed is that the 2 IP-adresses  are shown without the '/xx' (this is due to the /32 setting, I guess)


Grtz