VLAN and OpenVPN Firewall Rules for Local LAN Access

I’ve followed this video Lawrence OpenVPN video to set up my Proton VPN on a test network. I have configured the NAT settings to use the OpenVPN gateway and have set the rule below in the VLAN interface which forces the advanced gateway option using the OpenVPN.

I am not trying to allow access from the TESTNETWORK VLAN interface over to my other VLAN interfaces while still using the OpenVPN gateway to access external sites. Unfortunately when I add a rule to allow connection to the other VLANs the gateway used is the WAN and not the OpenVPN gateway

The rules below I have attempted to set up a rule to allow access to the IOT VLAN. If I use the advanced settings to specify the OpenVPN as the gateway, I’m unable to connect to any external sites. If I allow the default gateway (which in my routing is configured as WAN like in the video), it uses the WAN gateway for external sites.

I’ve been chasing my tail for nearly three days trying to get this figured out. I’m trying to 1. use OpenVPN as a gateway for an entire VLAN, and 2. provide access to internal VLANs.

Should that read “now” instead of “not”? Because the next sentence seems to contradict that.

You’ll want to be careful what you set the rules’ destinations to. What addresses is LAN_WLAN an alias for? The first thing I do on any new install of pfSense is to create a Local_networks alias containing the RFC 1918 and RFC 4193 networks:

  • fd00::/8

Whenever I want a rule to target “the internet”, I set it to the negation of that alias.

In your second screenshot, you’re specifically sending traffic to the IOT net through the VPN. Why?

My overall goals are to 1) provide per-device access to the VPN for accessing outside the network and 2) for certain subdomains (such as WLAN and LAN) to allow for one-way access to them while blocking all others.

To answer your questions directly.

Yes, I am trying to allow access to the other subdomains from the TESTNETWORK while still using the VPN as the gateway. This is something that I’ve been unable to get sorted so far.

My intent is not to send traffic to the IOT through the VPN–I believe that this is an error on my part. I’d like to keep everything local where/when possible.

The LAN_WAN is an alias which is used on other subdomains on VLANS which I’m preventing access from. For instance, I have an IoT subdomain that I have the firewall rule which prevents access to my LAN and WLAN subdomains.

Hope that helps to clear anything up. I’ll double check the rules again and see if I can reconcile my current setup with your recommendations. Thanks again!

I feel like I’m actually going backwards. I’ve tried adding the following rule just to see if I can reach other subnets/VLANS and I can’t even do that.

Is there something that I’m missing here on why, when connected to TESTNETWORK 192.168.100.X that I can’t browse to any other local subdomain including, etc?

Checking the firewall logs when pringing from TESTNETWORK I receive the following logs. I’ve disabled all IPV6, but for some reason it appears only to be using this to ping?