pfSense VPN firewall rule learnings

Networking & Firewalls
1

I recently installed a PIA VPN using OpenVPN and ran into issues that have been resolved, so I thought I’d share my experience with whomever might benefit.

Context: I have several VLANs and want to run some of the devices in some of the VLANs through the VPN. I don’t need a “kill” rule, because if the VPN fails, I want the devices to have access through the WAN. I added an interface for OpenVPN named PIA, and in Firewall/NAT/Outbound added the PIA interface only for the VLANs for which I wanted to direct traffic to the VPN. (I believe I could have left the added interfaces as OpenVPN and this would have worked as well.) In the OpenVPN client definition, I did not enable the “Don’t pull routes” option. (That is not suggested in this forum that I’ve seen, but I experimented with it because it was suggested in the forums for pfSense and/or PIA.)

The most important learning was to add a firewall rule in my main network to permit access to other VLANs (e.g., 192.168.0.0/16). Absent the VPN rule, the “Default allow LAN to any rule” (which does not use the Advanced settings) did permit unrestricted access to other VLANs. However, when I added a similar rule for VPN (“anys” all the way across but with the advanced setting under Gateway for the PIA interface) above the Default rule, I wasn’t able to access other VLANs. To solve that problem, I had to add the extra rule above the VPN rule to permit access to the other networks.

The other important learning was to modify the “Default allow LAN to any rule” for all of my subnets. I needed to get into the advanced settings and specify the WAN interface under Gateway. That is normally set to default, but I had already set WAN as the default interface under System/Routing/Gateways, so that wasn’t enough. Without doing that, the traffic from all devices on all of the VLANs is routed to the VPN, even from the VLANs for which I had not added the PIA interface under Firewall/NAT/Outbound.

I’m relatively new to pfSense, so don’t understand why these things are needed. I’m just reporting what worked for me. If someone with more experience has more elegant solutions, I’d be interest in learning the “why’s”.

One other learning not specifically related to VPN policy routing is that it’s important to increase Firewall Maximum Table Entries (System/Advanced/Firewall & NAT) to something greater than one million. I kept getting errors about the firewall not being able to access or save to the bogons IPv6 table, which apparently has grown very large. The errors sometimes prevented rules from being saved correctly and might have interfered with reboots.

2

Viragomann in the Netgate forums provided some insight, which I pass along. I changed my settings according to his advice. The new settings are more elegant and they work.

per Viragomann:
If you state a gateway in a firewall rule, it will direct all the traffic which matches the rule to that gateway (policy routing). The parameters for matching are: interface, protocol, source address, source port, destination address, destination port. So I assume the traffic to the other subnet might matched, since the rule allows any destination.

You have either to take care that the rule doesn’t match to internal traffic or place a rule for internal traffic to the top. In both cases you need to restrict the destination. This can be done by an alias containing different networks to be applied in the rule. I use an alias containing all RFC 1918 networks, i.e. only private networks. So you could use this alias in your policy routing rule as destination while checking “invert”. This means that the rule only matches to traffic destined to addresses which do not belong to the RFC 1918 alias. So since your internal networks should be part of RFC 1918, the rule doesn’t match to internal destinations.

The other part of your problem, when the gateway in the rule is set to “Default” it means the traffic is routed according to the routing table (to the default gateway or static route). Only this option allows internal traffic without passing a gateway.
The VPN provider usually pushes the default route to the clients. So if you are connected, it sets the default gateway to the OpenVPN server. Since you are missing the outbound NAT rules for the other networks, accessing internet resources did not work.

To avoid that, check “Don’t pull routes” in the client settings.