Netgate SG-1000 microFirewall

Author Topic: Force ALL traffic over VPN Gateway  (Read 112 times)

0 Members and 1 Guest are viewing this topic.

Offline AndrewBucklin

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Force ALL traffic over VPN Gateway
« on: February 08, 2018, 11:34:05 pm »
Been working on this for a few hours now and hoping someone can help me out.

I have two gateways:  The WAN connection (100.100.100.100) and an OpenVPN client connection to an OpenVPN server at a remote location.

Using firewall rules and Outbound NAT, I have been able to successfully route all traffic from a specific VLAN over the OpenVPN connection. Verified this by going to www.IP4.me from a client on that VLAN and the public IP displayed was that of the remote site.

PROBLEM:  When the client on the VLAN tries to access the WAN IP (100.100.100.100), they bypass the OpenVPN tunnel. Is this due to NAT reflection? NAT reflection is not desired for traffic from this VLAN.  Of course this means that traffic destined for servers on the 100.100.100.100 will first need to traverse the OpenVPN connection, exit to the internet at the remote site, and then traverse the internet back to the pfSense box, but that is what is desired for this VLAN for various reasons.

Any thoughts?  Thanks in advance.  8)

Offline viragomann

  • Hero Member
  • *****
  • Posts: 2677
  • Karma: +284/-1
    • View Profile
Re: Force ALL traffic over VPN Gateway
« Reply #1 on: February 09, 2018, 06:40:22 am »
You cannot route traffic destined to an IP assigned to one of the routers interfaces over a remote gateway. That has nothing to do with NAT reflection, it's just how routing works in common.

Offline AndrewBucklin

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Re: Force ALL traffic over VPN Gateway
« Reply #2 on: February 09, 2018, 03:52:40 pm »
That's what I was afraid of. I guess I was just hoping there would be some way to "trick" it, like with a virtual IP, or something.  :-\

In that case, let me share one of the reasons for trying to do this: Currently, there are dozens of NAT rules and associated Firewall rules on the 'WAN' interface to allow the general public access to web-facing servers and applications. Users on this VLAN should also have access to the same web-facing servers and applications, but not other servers on the production VLAN (such as database servers, backup servers, etc.).  Anyway to accomplish this without manually duplicating each rule from the 'WAN' interface to the 'VLAN' interface's firewall rule tab?

Thanks!