Where the internet (ISP provider) is connected to the PFsense and then the pfsense is connected to the UDM-pro. Now all of my vlans are setup via wifi controlled by the UDM-pro because I wanted computers that were connected directly to have a static IP and 3 different wifi networks to have different lan IPs.
I.E. AP - default 192.168.1.0 , AP - VPN 192.168.3.0, AP - work 192.168.5.0. VLAN ID are set as 1,3,5 respectively in UDM-pro.
Everything works until I try to set up firewall rules for traffic to go through the VPN that is setup on the PFSense. The connection is live as I can see on the status. UDM-pro is my DHCP server. Where my confusion is why my firewall rules are not passing my VPN AP traffic to the VPN gateway. I have a firewall rule under LAN that states if the source is from alias “out over vpn” to destination any, Gateway being the VPN interface that is working. The Aliases under Network or FQDN I set the ip address to be 192.168.3.0/24. Ive also attempted to add VLAN tag under Interfaces VLANs so that anything that is coming from the parent interface lan with VLAN tag 3 is setup with the interface assignment VPN network port VLAN 3on idb1 - lan with an ipv4 config of none.
Just looking to get my firewall to pass the VPN AP through the vpn.
I am using the UDM-pro as my router/ DHCP server and using the PFSense as a strictly firewall. I edited the OP to better describe whats going on. Not sure if it helps.
Still havent been able to figure this out. been a month banging my head against the wall with no result. Is there something I need to screen shot or more information I maybe able to send to help with solving this?
Not totally clear on your setup, but it must be the case that if your VPN vlan exits via the VPN gateway then it will go to the VPN servers, if you implement the killswitch on the VPN vlan then it will not exit via the ISP.
If the above does not work it follows your set up has errors in the config elsewhere.
it sounds like you want to have different IP routes for traffic coming from different IP networks:
192.168.1.0/24 and 192.168.5.0/24 to ISP
192.168.3.0/24 to VPN provider
I am not sure what your setup is here. The connection between the pfsense and the UDM, what network address does it have and what IPs do the both routers have there.
The setup sounds to me like source-based routing for the pfsense. Does pfsense support that?
If not, you need to change the topology, but it can be done.
That’s exactly what I am trying to achieve. Thank you. You lost me a little bit there but let me try to clarify what my setup is.
The ISP modem is 192.168.0.1 which connects directly to the PFsense firewall (10.0.0.1) when then connects to UDM 192.168.1.0 when then connects to a unifi router.
UDM see’s the pfsense (10.0.0.1) as the WAN IP and UDM as the Gateway IP. UDM has wifi networks that act as the DCHP server assigning ip address (I.E. 192.168.1.0/24 192.168.5.0/24 192.168.3.0/24).
On the PFsense side, I was the WAN, LAN, and VPN interfaces. WAN is connected to ISP modem and LAN is connected to UDM. As far as firewall rules I only have the Anti-lockout rule and under that the rule for source, port, destination, port, are all * and Gateway is the WAN. I deleted all other rules I attempted cause they werent working. Not sure how to (or if I can) setup rules to go 192.168.1.0/24 and 192.168.5.0/24 to ISP, 192.168.3.0/24 to VPN provider. I hope that didnt cause more confusion.
unfortunately it is more confusing to me now.
Example:
to me this sounds like you have this:
(ISP modem IP 192.168.0.1) — (MODEM interface (IP is what?) of pfSense , LAN IP 10.0.0.1) — (UDM IP 192.168.1.0 (not a device IP!))
if you use /24, 192.168.1.0 is not a device address, but a network address. The UDM then cannot have specifically this address. there must be an IP address that the UDM uses to connect to the pfSense, which you haven’t mentioned. Otherwise, how do pfSense and UDM talk to each other if they are connected with interfaces on different networks?
I think you’d do yourself and the people you would like to help you a favor by drawing a network map as others here have done to be specific about the current setup. Some examples here:
that diagram was done using draw.io it’s a web based drawing program.
also look, Lawrence posted a link i think in that thread to his GitHub account where he shared some diagram templates he uses. might be of use.
G