View Single Post
  #1   (View Single Post)  
Old 12th August 2017
afdruiprek afdruiprek is offline
New User
Join Date: Jun 2017
Posts: 7
Default Route some ip addresses outside VPN

Hello I’m a new member to this forum but i have used it a lot before i became a member.

I have a router with pfSense but would like to change it in favor for OpenBSD pf .

My setup looks like this.

ISP **** ROUTER **** AP

I run one Openvpn client on the router so that all machines on the wifi AP goes through the vpn.

Now comes the problem i would want some of the clients ip addresses to be routed through wan (without VPN) i have tried different routing alternatives but i haven’t find anything that works.
Everything else seems to work even the "killswitch".

Here is my pf.conf any suggestions on optimizations would also be appreciated
thanks in advance !!
ext_if = "em0"              # External interface
int_if = "em1"              # Internal interface
vpn_if = "tun0"             # Vpn interface

table <martians> {     \
          \        \ 			 }

set block-policy drop
set loginterface $ext_if 
set skip on lo0  

match in all scrub (no-df random-id max-mss 1440)

match out on $ext_if inet from ($int_if:network) to any nat-to ($ext_if:0)
match out on $vpn_if inet from ($int_if:network) to any nat-to ($vpn_if:0)

block in quick on $ext_if from <martians> to any
block return out quick on $ext_if from any to <martians>

block all
pass in on $int_if from $int_if:network to any tag NO_WAN_EGRESS keep state

block quick on $ext_if tagged NO_WAN_EGRESS
#block return out quick on $ext_if tagged NO_WAN_EGRESS

pass out quick inet
#pass in on $int_if inet

Last edited by ocicat; 12th August 2017 at 07:43 PM. Reason: Please use [code] & [/code] tags when posting file contents.
Reply With Quote