PFSense + Open VPN + Routing Certain Subnets

Looking for a bit of help because I can’t seem to find a video or online resource for me to figure out how to setup what I want to do.

I have PFSense running and it’s setup with 4 LAN Subnets, one per ethernet port on the LAN card, I have my PIA VPN setup as a client going out the WAN port and it’s not pulling routes by default.

The problem is I want to route the internet traffic from 2 of the 4 subnets through the VPN and the other internet traffic from the other 2 subnets through the standard WAN connection because of port forwards etc.

I can figure out how to get this to work but I think my rules are a problem because when it’s setup I can’t access the other LAN subnets I normally can when not forcing internet traffic out the VPN connection.

Also my other question is, is there a way to forward internet DNS requests from PFSense out the VPN as well. I just figured to anonymity for those since the VPN connection is established anyway. If not, it’s not a deal breaker.

Thanks in advance for the help anyone can provide

Your VPN traffic should go out the VPN gateway. In your rules it will default out the WAN, you need to expose the advanced settings to choose the gateway for the VPN.
You’re right if left just at that you’ll have a DNS leak.

I’m using AirVPN and connect to their servers via an IP address, for my VPN vlan I use the DNS Resolver, for my ISP vlan I use the DNS Forwarder, there might be another way but that works for me.

No DNS leaks for me.

Coincidentaly, I just posted something which I think will answer your question about interVLAN routing.
[pfSense VPN firewall rule learnings]
(pfSense VPN firewall rule learnings)
As to the DNS question, you can add DNS to the OpenVPN client definition I think. PIA suggests the following under Custom options (Advanced Configuration):
remote-cert-tls server
reneg-sec 0
auth-retry interact
dhcp-option DNS
dhcp-option DNS

@Stan When you do a leak test on your VPN does it pass ?

I haven’t done a leak test. Tell me how.

Go to and inspect your result.

When connected to your VPN you should see the VPN’s IP address not your WAN IP address.

Basically all your traffic has to go through the VPN tunnel otherwise your WAN IP can be identified.

I had already tested to ensure that the VPN’s IP address is being used. And I just tested with your link. It also showed the VPN’s IP address. I’m not sure how that determines whether there is a DNS leak, though.

I do recall doing a leaktest and finding out I had a leak. It was down to a config setting, though I don’t recall the setting from 2 years ago.

Just something to test.

Thanks everyone for the replies so far.

If it’s easier we could just have it route all traffic through the VPN and then just have it route the 2 Subnet’s not through the VPN but I need to maintain access from the 2 subnets (secure) to the other ones not routed through the VPN (Insecure devices with port forwards etc.).

It’s looking more like I need to learn more about routing and rules. :frowning:

Update so it looks like this older video addresses what I need… I setup to push everything out over VPN like this video shows and then setup selective rules for the Subnets I don’t want out over the VPN and now it’s working.

I should also add that this allows me to apply PFBlocker to the VPN incoming/outgoing as well by adding the interface on the PFBlocker setup pages.

THANK YOU TOM! :slight_smile: