OpenVPN Client PBR

[rfeng33]

I'm trying to setup my OPNSense box as a VPN client to a commercial VPN provider.  I have installed the config file from the provider and have the VPN connection up.  I have added manual outbound NAT rules specifying the specific ports I want to go through the VPN tunnel.  When I initiate a connection utilizing those destination port I've specified to go through the tunnel (using an alias) the connection works but it doesn't go through the VPN tunnel.

Any suggestions I'm sure it's something silly I'm missing. 

[marcquark]

besides the outbound NAT rules, have you put firewall rules in place that match that specific traffic and use the VPN as gateway rather than the default gateway? it's under advanced options in the firewall rule.

[rfeng33]

Yes I did.

Here are my firewall rules: 
https://imgur.com/a/f6FMl7g.   I want to have my IOT VLAN the only one using it for devices off that LAN VLAN on those ports. 

Here are my NAT rules:
https://imgur.com/a/HVKfsQs

[rfeng33]

I played around with this a bit this morning.  I had the VPN client set not to pull routes.  Once I do that, I can get traffic through the VPN tunnel but it appears that it sends ALL traffic through, even though I have just the outbound nat set the way I explained and I only have my IOT VLAN set out send traffic out the gateway. 

[marcquark]

hmm that looks alright.
just for clarity, do you have an assigned interface for your openvpn client or is your NAT rule scoped to the OpenVPN group? i actually don't know whether NAT rules work for interface groups. so you might want to try assigning the interface and adjust your NAT rule then try again.

can you add logging to the firewall and NAT rules to see whether they match?

[rfeng33]

I do have the OpenVPN instance assigned to an interface.  I’m not sure what you are saying about the NAT and interface groups?

[rfeng33]

I did a search and filtered on the destination ports I'm trying to move through the VPN.  I get connectivity but I never see the rules show up in the firewall log when I filter based on them.  I've confirmed the port is correct from my server and a connection is established (this if from a netstat on the server):

tcp        0      0 192.168.32.2:59276      x.x.x.x:25461    ESTABLISHED.

The application works but I never see the traffic flow through the VPN tunnel.  Here are my rules currently in pfTop that relate to this, I don't know if that helps:

pfTop: Up Rule 1-122/122, View: rules
RULE  ACTION   DIR LOG Q IF     PR        K     PKTS    BYTES   STATES   MAX INFO                                                                                                                                                                             
 109  Pass     In  Log Q ix1_vl tcp       K        0        0        *       route-to ... inet from (ix1_vlan32) to any port = 826  flags S/SA                                                         
 110  Pass     In  Log Q ix1_vl udp       K        0        0        *       route-to ... inet from (ix1_vlan32) to any port = 826                                                                     
 111  Pass     In  Log Q ix1_vl tcp       K        0        0        *       route-to ... inet from (ix1_vlan32) to any port = 25461  flags S/SA                                                       
 112  Pass     In  Log Q ix1_vl udp       K        0        0        *       route-to ... inet from (ix1_vlan32) to any port = 25461   

[rfeng33]

I also tried applying a mark to the traffic and that didn’t do anything either.