pfSense - Multiple Adapters with Multiple Subnets with Multiple Gateways

Discussion in 'Networking' started by SycoPath, Dec 7, 2016.

  1. SycoPath

    SycoPath Active Member

    Oct 8, 2014
    Likes Received:
    OK, I've been poking at this for 2 hours now and I can't figure out what I'm missing.

    Internet-----------------WAN (em0)-------- |-----------|--------VMX0-----------(
    | pfSense |​
    Internet-----WAN (em0)----OpenVPN----|-----------|--------VMX1----------(

    Interfaces in pfSense:
    WAN (em0)
    LAN (VMX0,
    VPN (VMX1,
    ovpnc1 (Virtual openvpn adapter)

    My goal is for any traffic from the network to only go through OpenVPN. I have also segregated this network on it's own adapter (VMX1) and vSwitch in ESXi. I do want to enable SELECTIVE traffic on specific ports to specific IPs to cross from to For now though, I'll settle for all traffic passing and restrict it later. I do want to make a DENY rule for anything on to never be able to leave without passing through the ovnc1 adapter.

    I have pfSense running as a VM, Everything works as expected but I can't get VMX1 ( to connect to the internet. I know OpenVPN works because if I set a gateway in Firewall-->Rules-->LAN pass Any rule to the ovpnc1 gateway, all traffic from VMX0 ( goes through it and my public IP changes (verified with WTF is my IP?!?!?? ). I also turned on Manual Outbound NAT and copied the rules to the ovpnc1 interface and NAT works for the network.

    The DHCP server on VPN (VMX1) is working assigns to my ubuntu host, but it has no internet connectivity. ping (address set in Interfaces-->VPN-->Static IPv4) works. ping results in "Network is unreachable". I created a pass ANY protocol ANY destination from source network in Firewall-->Rules-->VPN and set the gateway of ovpnc1.

    What did I do wrong here or what did I forget to do? I thought about using static routes, but the ovnc1 adapter is a dynamic IP so I don't want my static routes to break every time it changes. I can screenshot stuff if needed, just let me know.

    Thanks much!
    Last edited: Dec 7, 2016
  2. gigatexal

    gigatexal I'm here to learn

    Nov 25, 2012
    Likes Received:
    sub'd because i am curious, too.
  3. fractal

    fractal Active Member

    Jun 7, 2016
    Likes Received:
    I am no expert but pfSense static routes go to gateways, not IP addresses. I have routes going to gateways associated with interfaces that get a DHCP address and they "just work". I don't know enough about OpenVPN to know whether it creates a gateway you can add to a route.

    The one "trick" was writing the firewall rule. I had to experiment to use the alias / gateway name in a firewall rule, but eventually got it to work.
  4. dlasher

    dlasher New Member

    Dec 9, 2016
    Likes Received:
    So what I'm doing is more like your original subject, than what your explanation turned out to be.. but I figured I'd share anyway.



    LOADBALANCE: ISP1 - tier1, ISP2 - tier1
    FAILOVER : ISP1 - tier2, ISP2 - tier1

    PARENT LAN: IPv4 Default - Advanced - Gateway - Load Balance
    KID LAN :IPv4 Default - Advanced - Gateway - Failover

    So the parents get to use both ISP's, in a load balanced fashion, that auto-magically fails over/back/forth. The kids get ISP2, which will fail over to ISP1, and back if it needs.
Similar Threads: pfSense Multiple
Forum Title Date
Networking pfSense NAT multiple identical ports from single WAN connection conundrum Sep 28, 2016
Networking pfSense on Physical Switch Nov 25, 2019
Networking Intel D-1518 build for PFSense 10Gb SFP+ router Nov 8, 2019
Networking pFsense pros Oct 20, 2019
Networking Supermicro SYS-5018A-LTN4 for last Pfsense ? Oct 7, 2019

Share This Page