Let me know if I should move this to a new post...
Scenario:
By default all pfSense (ver 2.3.4) traffic goes out WAN interface. I added 1 firewall rule, for 1 specific IP address that will use the VPN. Pings / HTTP from that machine work fine when the firewall rule is disabled. Fail once enabled.
VPN Status:
- The pfSense dashboard shows the VPN as UP and shows an IP address.
- The Interface statistics widget shows small but increment packet counts as does the interface graph.
NAT Rule
- I duplicated the NAT rule for "192.168.0.0/24 LAN-WAN" and changed the interface to "OpenVPN". I'm not sure if this should be "OpenVPN" or "VPN" I tried both, neither worked, guides I found seemed to favor "OpenVPN" so I left it at this.
- New NAT rule is set for Protocol: Any, Source Network 192.168.0.0/24, Address: Interface Address
The Firewall Rule:
- Created on the LAN interface, placed at the top of the list.
- Action: Pass, Interface: LAN, Address Family: IPv4, Protocol: Any, Source single host: 192.168.0.236, destination: Any
- Advanced Options / Gateway is set to the VPN Gateway
Interface:
- Named VPN previously OPT2 assigned to port "ovpn2". This is the UDP version of the client which is enabled. ("ovpn1" is the TCP client, and that is disabled.)
System > Routing >Gateway:
- VPN_VPNV4, Interface: VPN, Gateway IP and Monitor IP show an External IP address of the VPN provider, Same IP address listed in the pfSense dashboard for the VPN.
- NOTE: The host that the firewall rule applies to CAN PING this external IP address no problem, but is not able to ping www.google.com or a google IP such as 172.217.3.36.
The pfSesne box, is a physical machine. It is not in a VM. Client hosts are physical machines attached to an unmanaged switch on the pfsense LAN interface, thus no VLANS.
The pfSense WAN interface is connected to a Verizon FIOS router. Other than change Admin password this is mostly a default config from Verizon. I did make the IP Addresses assigned to pfSense static IP mapping to make sure it gets the same IP address every time. I currently use the Verizon WiFi as my guest network.
State Table:
The firewall rule, is picking up a state when I test PING from the machine.
If I test with "ping google.com" I get the following:
Interface: LAN
Protocol: udp
Source/Destination: 192.168.0.236:54555 -> 8.8.8.8:53
State: NO_TRAFFIC:SINGLE
Packets: 2 / 0
If I test with "ping 172.217.3.36" I get the following:
Interface: LAN
Protocol: icmp
Source/Destination: 192.168.0.236:60269 -> 172.217.3.36:60269
State: 0:0
Packets: 23 / 0