A bit more advanced VPN routing, nating question.

[tomk_1313]

Hi,
So I've got a setup where there is a router with WAN being server by pppoe. This router has several interfaces for local net. I need one of those interfaces to be serving traffic that over the VPN, and nothing more

local_pc -> switch -> porton the router "vpn_lan" -> magic + nat -> stuff goes out through the VPN tunnel to the internet.

however I don't want any other traffic to go through this VPN interface (hence later deleting routes for it).

So, I've setup:
- lan facing interface "vpn_lan" with it's own iprange, dhcp etc.
- VPN (openvpn entities -> client) and set in miscellaneous "route-noexec" to make sure that router traffic or any other traffic won't get pumped through the vpn link. Client shows as stably connected, and has its own IP from the vpn tunnel.
- firewall, allows everything on vpn_lan to any (same as typical LAN interface).
- new interface "vpn_wan" through interfaces assignment and enabled it. I've left the IP part blank to let it be controller by vpn tunnel client.
- the NAT to behave the same way as LAN, just with relevant interfaces and addresses changed to serve this contraption.
- dhcp (but that's out side of this exercise).

Clients switch plugged to this port obtain IP without a problem. I can ping the router address, without the problem - however pinging anything in the internet gives "no cigar".

"Any ideas ?"

[FraLem]

I would suggest to review the NAT configuration.

What does  tracert www.opnsense.com shows on the local_PC?

Rgds 

[besalope]

Not the exact same config, but when I was setting up Wireguard there was a setup to add a Firewall Rule for that new virtual interface to allow traffic out of the tunnel.


    Go to Firewall > Rules > vpn_wan
    Click +Add

• Action:  Pass
• Interface vpn_wan
• Direction: In
• Protocol:  Any
• Source Address vpn_wan net
• Destination address: any
• Destination port: any

Check if that works, then run a tracert to confirm that the devices' path is flowing through the tunnel as expected.

Edit:  My setup was for a phone/tablet to connect back to Opnsense so that the connection kept traffic "internal."  If this is more of a VPN Service connection, it would be good practice to confirm traffic from the otherside of the tunnel would be blocked for your other LAN interfaces.  That may require adjusting the above policy or secondary Deny rules that take effect first.

[newsense]

Deleting routes, tinkering with any other defaults is misguided.

All you need is a Reject floating rule, source any other (v)lan except for the one in scope, destination any, VPN gateway

To lock things down, make sure the rules on the desired interface all use the VPN GW, with an explicit deny of all traffic at the end going out the WAN GW