I have been having fun learning about networking and using pfSense to accomplish this. I would normally do testing on a virtual machine, but my homelab is limited at this time so my production machine is also my learning machine (risky I know, especially since I use it for working as well).
I have several VLAN’s, and on one I’ll call VLAN_Home, I am trying to route all traffic through OpenVPN using Surfshark (what I have at this time), while also being able to access the other VLAN’s on my network and the main LAN (I believe this is called split tunneling?).
I setup certificates for surfshark, and on OpenVPN under clients setup the service with Surfshark information. interface assignments, I setup the “Surfshark_Vlan” port. And under my firewall rules, setup the VLAN Home subnet source to use the Surfshark_Vlan gateway for traffic. It seems like it should work, but I think I am missing something as the status of the client is down. The goal is to keep the existing connections of the home_vlan to the other system vlans (managing IoT devices, etc), but put the rest of the home traffic through the VPN. Open to suggestions!
A bit hard to follow but I think I know what you are trying to achieve. The way i addressed that issue is to use an alias for the subnets to then define what vlans could see each other. The inverse of the vlan subnets will be the WAN.
However, in some situations, say, my guest vlan, I don’t want it to see my management vlan, however, I put in an extra rule so that the guest can access the AP portal on the management vlan to access the internet.
Look up using an Alias it may help you to use fewer rules.
I can get the VPN to apply to the whole network just fine, but applying to the specific VLAN is where I am missing something I am coming to find out. Brought my whole system down earlier (oops, thank goodness I kept a backup point just prior to reload from).
As using the VPN on the VLAN is not necessary for my day to day, and my firewall works well without it, I will probably use this as an excuse to setup a virtual desktop and virtual firewall so I can test in there and not bring down my whole network.
Not sure if this helps but it might be better to think of applying your ISP to all your vlans, then select which vlans you want exiting the VPN, if you then apply the killswitch to your VPN vlans it doesn’t bring the whole network down so to speak.
One area I’ve still to investigate more fully is DNS, I started off applying DNS forwarder for the ISP and DNS Resolver for VPN traffic. I don’t recall why I did this, but I probably had DNS leaks and solved it using this approach. Again I also still don’t fully understand DNS when using OpenVPN.
My guess all your traffic is being directed by the DNS for your VPN but wants to go out the ISP WAN.
