I was thinking for my use case it would be handy to setup a virtual wireless network (I have a TP-Link Omada setup) that was on a VLAN that would have a default route that was the PIA VPN.
This would be easier (for me) than editing the host list on pfSense every time and reloading the rules, instead I would just switch away from the default WLAN to the one that routes through PIA.
I got the VLAN setup and linked to a virtual SSID on the Omada controller but I canāt figure out how to set the VLANās default gateway to the PIA gateway. Is it possible to have a VLAN have a different gateway?
Thatās pretty easy, when you setup your VPN on your network, a gateway is created. Go to your rules and for your VPN vlan create a rule, under advance settings you will see an option to set the gateway. If nothing is selected it will use your default gateway, which will be your ISP.
There are various checks you can do online to determine if you are leaking your IP address from your VPN vlan which is worth double checking.
I tried this myself and couldnāt get the kill switch to work till i uncheck this option in advanced miscellaneous
Skip rules when gateway is down
Do not create rules when gateway is down
By default, when a rule has a gateway specified and this gateway is down, the rule is created omitting the gateway. This option overrides that behavior by omitting the entire rule instead.
Just a quick note of thanks for this video. I finally completed the setup of my Surfshark VPN with kill switch and successfully tested it. You have excellent videos. They are helpful, informative and easy to follow. THANK YOU!
Iāve set things up exactly as per instructions and also unchecked the āSkip rules when gateway is downā option. Everything works when the VPN is up. Devices selected to route via the VPN do so, remaining devices on LAN route via the standard WAN. All good.
However, when the VPN is down (manually disabled) the floating rule kill switch blocks ALL traffic from that LAN, not just the tagged traffic. No devices on that LAN have internet access rather than just the selected alias devices. Itās as though ALL traffic from the LAN is now being tagged, or all LAN devices have suddenly been included in the alias. Either way, there is no logic to this behaviour that I can fathom.
I am confused by the whole setup though. If I follow the logic right, when the VPN is disabled the LAN rule is now omitted because the gateway is down (as per the unchecked āSkip rulesā¦ā option). This surely means that NO traffic is now being tagged so why does the kill switch rule work at all? Given that it is only supposed to block tagged traffic then surely it shouldnāt block anything, as opposed to blocking everything as it seems to.
I have searched extensively for some answers to this and, whilst it seems to be a problem that others have experienced, nobody can offer a solution. Can anyone here shed any light? Grateful for any help with thisā¦
Honestly I think the best approach is to use vlans, set the gateway to your VPN. Then you know for sure any traffic on that vlan goes out via the VPN, you donāt need to think about anything.
Thanks @neogrid. I have other VLANs for specific purposes and Iām happy that I could implement a VLAN-based solution. Trouble is I would then need all sorts of rules for inter-VLAN traffic as what I want is only some of the devices on my core LAN to route via the VPN, while the rest donāt, but ALL these devices need to be on the same LAN (or VLAN, it doesnāt really matter) for non-WAN traffic.
The idea of tagging packets and using policy-based routing with a kill-switch really appeals to me because it means I avoid segmenting any internal (i.e. non-WAN) traffic. Itās great in principle but it just doesnāt work, unless you accept the all-or-nothing kill switch and have ALL traffic blocked when the VPN is down.
What frustrates me is that I canāt fathom why the policy-based kill switch doesnāt work āproperlyā. Cāest la vie.
I think what you are trying to do should work, as your traffic is exiting the default WAN. Perhaps the order of your rules on the LAN might be worth inspecting again.
Thank you for getting back.
It wasnāt the order of the rules. I narrowed it down to DNS, which then led to the realisation that I had routed both my Pihole VMs over the VPN. So as soon as the VPN was down, I lost all DNS ā hence the whole LAN losing connectivity. Pointing Piholes back at the default WAN solved the issue and now the selective kill switch is working perfectly. Hallelujah!
This has consumed waaaaay too much of my time ā because of my own stupidity! I would never have discovered it though without being told by someone who knows better that it should be working. So thanks again @neogrid.
hahaha Iām not sure I know better but I too have āinvestedā an ungodly amount of time getting my network to do what I want, after a while you can just sense what should be possible
Hi Tom, many thanks for this and your other videos. I have one issue though with rule based routing which i am unable to solve, so i really hope you (or somebody else in this forum) knows the trick.
It is with ovpn site-to-site tunnels. I have a ovpn server, and multiple ovpn clients (sites) connecting to this server. For the tunnels to work on the server side, I have a āovpn client specific overrideā for each client/site. So far so good, tunnel works perfectly to all sites.
On the server side, for some devices i want to do rule based routing, so that the device goes to the internet, at a sites location. But since I am the ovpn server/host, I have only 1 interface & gateway for all sites/tunnels. How on earth can I instruct pfSense to route specific traffic to a dedicated site/tunnel? Tried so many different things, but none of them worked. Search internet many times, but never found a topic on this.
On the client side, this issue does not exist, because each client has a gateway for his own tunnel to me.
I really hope anybody knows how to do this. Eternal gratitude awaits you
Thx.
PS. Posted the same question under the youtube video comments. And then heard you saying about this forum, which was new to me. Again thx for the informative videos.
A bit hard to follow your actual setup, but Iām guessing you have a hub and spoke type of setup and want to get back from your server network to your client networks. That can be done by adding a static route under System > Routing > Static Routes
Yes it is a hub and spoke. I do not think there is another way you can setup openvpn, unless you use a dedicated openvpn server for each site (being more overhead).
If you add a static route, then you only tell pfsense which network is behind a gateway (in my opinion the same result as the āclient specific overrideā setting in openvpn). That still does not tell pfsense how to route through a specific tunnel, because I only have 1 gateway for all tunnels (me being the hub).
Ok I see what you have done, I think you need to google star topology, personally I would have setup each site individually so I donāt have a single point of failure. Iād guess that when setting up openvpn you need to state the remote networks. Your single gateway sounds like it must then be the route those remote networks.
Yes did some more reading on star topology, and it should be the type of setup for my situation, but nobody is talking about rule based routing in this setup. In the pfsense documentation, they explain rule based routing in a star topology when you use wireguard, but i do not want to get that way. Openvpn is working fine for me. When I have the time, I will indeed transform the star topology to dedicated site-to-site tunnels. Will give me some small overhead, but will make it easier to do special things.
Thx for your suggestions.