Prevent certain host from going through the VPN network

Got a problem with Viscosity or need help? Ask here!

bip

Posts: 4
Joined: Sun Oct 02, 2016 9:59 pm

Post by bip » Sun Oct 02, 2016 10:17 pm
Hello,

I have viscosity running on a mac mini which serves as my gateway/firewall.
All my local clients are routed through the mac mini so all traffic to the internet goes through the VPN connection.
So far so good.
Now I want to exclude one of my clients from the VPN connection. I tried several ways with pf firewall rules without success.
I know that I can tell viscosity that certain destinations shall be excluded from the VPN connection. But this is not what I'm looking for.
Maybe I can route traffic from a specific host around the VPN with the help of pf or an entry in the routing table?

Cheers
bip

James

User avatar
Posts: 2313
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Tue Oct 04, 2016 12:26 pm
Hi bip,

What you're trying to do should be possible using pf, but I'm afraid it's beyond the scope we can offer support for. Hopefully someone in the community will be able to offer you some advice. It's certainly possible using iptables on Linux, as I've personally mucked around with similar setups in the past, so it should be something that is possible using pf.

Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs

bip

Posts: 4
Joined: Sun Oct 02, 2016 9:59 pm

Post by bip » Wed Oct 05, 2016 9:41 pm
Ok, thanks you James. To know that it should be possible motivates me do further investigations :)

bip

Posts: 4
Joined: Sun Oct 02, 2016 9:59 pm

Post by bip » Sun Oct 09, 2016 8:33 am
For anyone who might be interested in the solution: The magic keyword is "route-to":

# Route some IPs directly to the fritzbox instead of NATing them through the VPN tunnel
pass in on $internal_if route-to ($fb_if $fb) from {$pc1, $bipad} to any
pass out on $fb_if from {$pc1, $bipad} to any
4 posts Page 1 of 1