OpenVPN in pfSense on specific IP not working

So, I’ve been having issues for a few days now with pfSense after installing it on t730 that I picked up just for this purpose. Here’s a diagram of my setup, just so we’re clear about how everything’s going.

So, as you can see. I’m feeding my ISP router directly into pfSense, which has (1) WAN and (1) LAN, and the LAN is feeding into Mi Router that I use to pass on internet via wireless and ethernet to several devices, such as my computer, phones, Apple TV, Smart TV, PS5, et al.

Now … I want VPN on router level for Apple TV, as there’s no other way to bypass regional restrictions to consume content on there. But I don’t want VPN on my personal devices at all times, I want to be able to pick and choose when to add and remove that. Ergo, I was hoping if I could create two aliases namely VPN and NoVPN, and throw in the IPs in their respective aliases for where I want to route my traffic through VPN or not.

Now the problem is that, every tutorial I read online basically said add firewall rules for LAN in pfSense by simply doing the following:

Disclaimer: screenshots are taken from ProtonVPN’s pfSense 2.6.x guide lin.

When I follow this step, and put my desktop IP in there as 192.168.2.69, and make sure that on my computer I assign a static IP to correlate that, it doesn’t do anything. All of my traffic on computer still routes through VPN, I’ve been at it for the past couple of days or so and can’t figure out what I’m missing here.

Any other set of eyes and help on this would be greatly appreciated, if you need any more info on how the OpenVPN is set up or my gateways, let me know and I’ll share them accordingly. But I feel like the fact that I’m adding another router after pfSense which puts me on another subnet, maybe that’s why I’m having a hard time not being able to exclude my desktop from VPN traffic and maybe need to create something else in pfSense? Either way, let me know what you guys think.

Are you using a managed switch ?

Not using any switch at all, the diagram that shows my setup is exactly how it is. I have LAN going out from pfSense into a Mi Rotuer that’s running OpenWRT and then fro there to my PC and other devices.

That’s it. Is managed switched a requirement to be able to exclude traffic from VPN in a scenario such as mine?

It would be far easier to buy a cheap switch, create two vlans one for VPN and the other for ISP traffic. Then connect to whichever based on your needs.

In your scenario, adding a VPN client to the apple device looks simpler.

There’s probably a way in the OpenVPN client to route traffic for a specific IP address under the advanced settings, though I do not know what that might be.

To the best of my knowledge, I don’t think there is a way within the OpenVPN client because every other VPN provider has its own settings to setup OpenVPN connection. But the routing of traffic can be controlled however we want, but I could be entirely wrong, so.

Would a switch like this work? It’s unmanaged, though. Any managed switch I see is few hundred bucks where I am, but I can pick this up for like $15-20 rn, LS1005 | 5-Port 10/100Mbps Desktop Network Switch | TP-Link United Kingdom

Wouldn’t that Mi router act as a switch of sorts as well, though? Albeit, I concur. If I can simply just add a VPN only to my Apple TV with the hardware I have right now, that’d be most ideal. Or at the very least, just exclude certain IPs (my desktop PC) from the VPN and let rest of it go through VPN.

p.s. or even a Gigabit switch like this one, LS1005G | 5-Port 10/100/1000Mbps Desktop Switch | TP-Link but again, it’s unmanaged.

LOL those switches are toys !

No idea what your Mi router is doing.

In the openVPN client config on pfSense you have custom options, I think you need an entry there to do what you want.

Yeah, I figured as much, lol. But that’s all available to me where I am, unless I go for something extra and then it’s an expense of $200+ and I’d rather avoid that if I can cause it won’t be readily available anyway.

I see some tunnel settings in OpenVPN client config, but that’s about it. Not sure if this is of any use?

But other than this, I am unsure of it. I’m also a bit weirded out that every guide that’s telling me to merely create firewall rules for LAN and NAT to do this simply doesn’t work for me. Like what am I missing from those guides, are they suggesting that setup based on a certain hardware like a switch, or should it be able to work on my current setup as is?

If you scroll further down you’ll see Advanced Configuration >> Custom Options box in OpenVPN client.

Perhaps if you were to put everything in the same address range as your pfSense router, you might get a bit further. Not sure if you have OpenWRT acting as a router or an access Point, if it’s an AP then the clients are being DHCP’ed from pfSense then at least it’s not double NATed.

Don’t have any other ideas perhaps someone else has had the same problem.

I actually never messed with OpenWRT much after installing on the router as it couldn’t handle OpenVPN, so I left it as is. I could try and see if putting it in AP mode is possible, that way being on same subnet and DHCP’d from pfSense, then I may get the result I am looking for, good shout on that.

As for the custom options, each VPN provider has their own setting and I wouldn’t have a clue what to put in there beyond that, honestly. But FWIW, here’s my settings from advanced.

I’ll go and look up on how to go about putting OpenWRT in AP mode and see if that helps.

Okay, so. @neogrid you were really helpful with that shout. Two things.

1. When I am on the same IP range as pfSense, i.e. 192.168.1.XXX, the rules work flawlessly.
2. I am unable to set my OpenWRT in a way where it plays as an access point and stays on 192.168.1.XXX range.

So, I was having trouble getting OpenWRT to work accordingly. So, before wasting a lot of time, I figured I’ll just directly connect the ethernet from pfSense to my PC and see if a specific IP rule works to exclude internet access, and it did. I am able to exclude internet whenever I assign myself a static IP that matches the rules.

But now I’m stuck with making my router that’s OpenWRT to share the same IP range as my pfSense, which I’m assuming should happen if I setup my OpenWRT as an access point? If so, I’m having trouble doing that.

I tried assigning IP on LAN on same network as pfSense, where my OpenWRT LAN is 192.168.1.9 and pfSense is set as 192.168.1.1 and while internet works and I can access OpenWRT, I can’t connect to pfSense even via 192.168.1.1 and the rule to exclude VPN doesn’t work. It only works when I connect my PC directly to pfSense, and not via my OpenWRT router.

Any input you can give on this matter on OpenWRT side? Now that we’ve confirmed that rules work when we’re on the same IP range as pfSense, but not another. We just need to make sure OpenWRT and pfSense can both run on same IP range and be accessible via their IP.

Okay, an update.

I made a mistake and had my pfSense connected to OpenWRT’s WAN port, as soon as I moved it to LAN port, everything worked fine. I’m on the same network now, and the firewall rules are working as intended!

My desktop PC doesn’t go through VPN anymore, and rest of the network does.

Thank you once again for a good shout, @neogrid! All I had to do was set my OpenWRT router on same subnet as my pfSense and everything worked flawlessly.

Ok great you got it working.

When you can find a switch, I’d still recommend buying a managed switch and run vlans when you’re using a VPN.

Any major benefits of doing that, though? Like I’ll eventually get it for ease of deployment on multiple devices anyway, instead of just using a router in the way I am right now. Just asking to understand the primary benefits of it and such.

Its mainly for security. You don’t want untrusted traffic hopping all over your network.

And the traffic when being routed through a router like this is untrusted, as opposed to if it was from a managed switch?

Perhaps it just depends on your point of view, while vlans allow you to segment your network, if you are paying for the use of a VPN, it’s much easier to setup a vlan for that so that all traffic on that network passes through the VPN without needing to think about it too much. If the VPN service goes down it’s easier to deploy a kill switch without affecting the traffic requiring the ISP.

Fair enough.

Thanks once again for the input, though. Much appreciated!