OpenVPN + Policy Based Routing + Firewall Rules Question

[crissi]

Hello,
I have a understanding question regarding firewall rules and policy based routing over OpenVPN connection https://docs.opnsense.org/manual/firewall.html to the following Note:

Note
When using policy based routing, don’t forget to exclude local traffic which shouldn’t be forwarded. You can do so by creating a rule with a higher priority, using a default gateway.

Please see attached screenshots of my Firewall Rules.

How exactly can I exclude the local traffic which shouldn’t be forwarded to the OpenVPN connection in my case, as I actually just want to allow http / https traffic to internet for the VLAN10 over the specific OpenVPN single gateway?

Reading the Note over and over again just confuse me more…

Thx!

[franco]

Hi crissi,

Since you have "block access to OPNsense from VLANs" rule that would be the one that needs a "pass" if you wanted to access OPNsense from the VLAN, because otherwise it would route these requests over to the VPN where they can't be answered. The DNS rule is also in place so it looks like you are good.


Cheers,
Franco

[crissi]

Hi Franco,

thanks for the update. For me is the part of the Note regarding "using a default gateway" with higher priority not complete clear.

For Example to understand, if i would like to Route a specific Client Pc not over the VPN Gateway and instead over the normal WAN Gateway, i have to add the Rule with the higher priority over the VPN Gateway "using a default gateway"?

Thx!

[franco]

Higher priority here means ordered before your other rule so it can "pass" first. In that case you don't select a gateway to keep the default routing behaviour.


Cheers,
Franco

[crissi]

Perfect, thanks Franco for your Help!

[franco]

No problem