I’ve been looking everywhere for the answer and apologize in advance if I missed the answer to this.

I set up an OpenVPN server under Gateway is enabled and everything seems to be working. I have ALL client traffic going through the VPN under AES 256 as I need the client to be fully encapsulated at all times under a kill switch.

What I am trying to do is route that traffic to VLAN so the client can access the Internet and only the devices under the specific VLAN. I tried doing it under rules for the OpenVPN tab but that didn’t seem to work or I just did it wrong.

Thank you for the help.

Likely a problem with your rules, please provide a screenshot. The OpenVPN tab is the right place to put your rules if you didn’t explicitly create an interface for the tunnel. I would advise you to do that for any tunnels that you have because it lets you separate the rules for different tunnels.

Before you post a bunch of screen shots, do you have the outbound NAT rules setup properly and do you have the alias setup or a rule that forces the traffic out that gateway?

I have that process documented here:

1 Like

I don’t think I explained what I am trying to do well:

cell phone/computer (remote user) > VPN to work network (all traffic selected) > VLAN > Internet. When you select all traffic in openVPN wizard it takes away the box to specify which network it would have access to like you show in your 2020 video on how to create an openVPN server for remote users. But I’m not worried about bandwidth for all traffic because my user count isn’t high and I want all traffic to route at all times.

Right now everything works fine as cell phone/computer (remote user) > VPN to work network > Internet and LAN. This was confirmed working because I pulled the IP/DNS being used on the gateway at the work network. I have a gateway set up for the openVPN IP address and I have a rule under the openVPN tab that is just “allow all traffic” (not the tab that is created when you add the interface).

I am trying to route incoming traffic of phones and laptops to VLANs because some folks don’t need to access other parts of the network.

My first idea was create aliases of the VLAN network and then I went to the openVPN tab, not the one created when I added the interface, and tried a rule to source the IP address network of the openVPN server to the alias of the VLAN. But that did not seem to work because I used a rule on the VLAN to not be able to access the firewall and it still allowed me. I am guess I did the rule wrong?

I am assuming I am going to have to create a separate openVPN server for each VLAN in order to capture the inbound traffic and send to the proper VLAN?

Hopefully that makes sense.

Your explanation isn’t super clear, but I think I know what you are trying to do.

The way I’ve set up my home VPN’s is to just think of them as another network, no different to say a vlan. In that case in the rules for the VPN I have a rule that allows access to other vlans and a second rule that allows traffic to exit the WAN. If you set it up likewise I don’t see why it won’t work.

However, I don’t use the default OpenVPN rules tab, I’ve setup new interfaces for each of my VPN servers.

You can use FreeRADIUS to authenticate users, within the package you can define vlan access for users, I suppose that will work for you if your rules are correct. I only use FreeRADIUS for wifi myself so can’t confirm.

My understanding is the interface tab for the VPN is not the tab to set up rules under but the one created by OpenVPN.

One idea was create two servers because they each require a different port and try and tag the port number to the VLAN?

If I do it with FreeRadius, will it slow down the traffic? It’s already slow with 256 on.

No idea how that can be done, but if you know then give it go.

I think I originally didn’t use the OpenVPN rules tab because I wanted to name it the same as the OpenVPN server name I used. No idea if that tab behaves differently or not, either way I don’t use it.

I don’t think FreeRADIUS will slow it down as it’s only used for authentication. Logically I suppose you can route the traffic of users or networks. FreeRADIUS will allow that for users, a second VPN will allow that on networks (perhaps you can add user groups into a rule if so then that might work for a single VPN). I suppose you have to manage it, I can see that one setup might require less effort than the other. However, at least in the past unless it has since changed OpenVPN was only able to use one processor, pfSense might spread the load of multiple VPN servers over multiple processors, you’d have to look into this, if correct that might bring some performance improvement.

Yes, FreeRadius and assigning user each their own IP and then using IP based rules to route them. I have a video on how to do that here:

Thank you both for the suggestion. This is way easier to manage users.

I have tried doing rules to route the traffic and I seem to have hit a roadblock.

I am trying to route the user to the 100 VLAN tag in the interface.

I assigned the user IP address and then within the rules put the IP address as the source and tried the destination of the 100 VLAN subnet, then I tried, then I tried doing it as an alias. Does not seem to work when the user VPN in because I am unable to get out to the internet. I know the rules within the VLAN are correct but I am also assigned an IP via DHCP. Is this a limitation of using RADIUS? Or am I just not setting up rules correctly?

I also tried just tagging the user with a VLAN tag. My assumption is that this does not work because the OpenVPN address is and it is tagging it under that network.

Thank you for the help and feedback.

As I covered in that video, you assign each users a static IP in FreeRadius that is within the range of the OpenVPN network and then create rules per that users IP.

So everything seems to be working except when I tell the rule to go to a subnet I cannot get out to the internet. I can ping only things on the subnet (Garbage subnet) and nothing else so I know the rule is working to get it there. If I change the rule to allow everything like in the video all is well and I get out to the internet (and everything on the network) so I know it can work in that sense. If I am pointing the IP ( at a subnet (Garbage subnet), wouldn’t the subnet rules take over, thus allowing me out to the internet and only devices listed in the subnet (Garbage subnet)? The subnet (Garbage subnet) can access the internet and has been confirmed to work when directly connected to. Also I noticed it doesn’t matter if I use the interface created when added or “openVPN” for rules it all seems to be the same.

Pretty sure tunnel addresses should not be used elsewhere. Though I can’t really follow your rules.