Exclude specific traffic from VPN on pfsense

Hey guys,

another solution I’m looking for is how to exclude/avoid/bypass (however you wanna call it) specific traffic from going trough the VPN (openVPN) configured on pfsense.

The network looks like this:

WAN
→ LAN
→ -> VLAN1 [10.0.0.1/24] (no VPN)
→ -> VLAN2 [192.168.0.1/24] (VPN active)

The problem is (what most of you probably guess) there some issues when you try to connect to some sites/streaming services or else that use VPN blockers or are regional locked. So what I wanna do is routing only these specific connections through the local WAN instead of the VPN tunnel.

I found a solution on google where someone said:
Just add a Firewall Rule where you set the destination-IP(-range) and select the WAN-Gateway for it. I tried this but it seems it doesn’t work for me.

Idk where I messed up with this, is it because I’m using VLANs? Do I have to configure another gateway for that, setting a new NAT mapping rule, configure a separate VLAN for that or something?

But I don’t want the devices on VLAN2 getting another IP address, for normal use VLAN2 traffic should still go through the VPN tunnel, it’s just some services that are not available through VPN that should bypass.

Would be great if someone could help me with this.

Thanks

PS: I’m new to this forum, so if I forgot to mention some something or so, pls be considerate :pleading_face:

ok, I think I got one step closer to a solution, I watched Tom’s video
“pfsense OpenVPN Policy Routing With Kill Switch Using PIA / Private Internet Access”

and it kinda works but not in the way I want to.

I’ve added the tag, set the gateway and added the NAT-rule.
When I try to reach the streaming service now it kinda works BUT:
any further traffic from the device keeps the WAN route when i try to reach another site/service/etc.
but what I want is some kind of a fallback to the VPN-Gateway if not connecting to this specific service.

any idea how i can fix this or what could cause the problem?

This video on pfsense policy routing that explains how to set that up:

1 Like

haha, yes, just did it, but i think I still messed up with something, postet in the comment above.
but thanks a lot for your response.

Ok, I think I got one more step closer. Maybe I underestimated how hard it is to exclude this vpn-/geo-blocking thing.
It looks like it’s not about the routing rule, it’s may be to find the right IP (or range) that does the blocking.
After adding some more IP-ranges I found related to this service I got access to the media library so it must be something in this way I guess. By filtering some other IP addresses the ads worked when starting a livestream on a mobile device (yay :upside_down_face: ) but the livestream itself still seems to be blocked.

I think I need to figure out what server does the geo-/vpn-blocking.