Featured image of post Utilizing Policy Based Routing with Unifi, PIA, and pfSense: Directing My IoT External Traffic through PIA VPN

Utilizing Policy Based Routing with Unifi, PIA, and pfSense: Directing My IoT External Traffic through PIA VPN

Introduction

This guide explains how to route specific network traffic through a VPN client on pfSense using Unifi’s policy-based routing. This setup allows you to manage your devices and subnets with Unifi’s Network app while benefiting from pfSense’s VPN capabilities. The result is a secure and private network experience without sacrificing speed.

This guide focuses solely on setting up policy-based routing and assumes you have already configured a VPN client on pfSense and segmented your Unifi network with subnets and VLANs.

Requirements

  • A Unifi Gateway (at least two WAN ports)
  • An active VPN Client
  • A pfSense router (with an unused port connected to the Unifi Gateway)

Overview

The final setup involves a few key components working together.

On pfSense, you’ll create a dedicated subnet (e.g., 10.99.3.0/24) and an interface (e.g., 10.99.3.15) to act as the gateway for Unifi’s WAN2. This pfSense subnet’s traffic will be directed through your VPN client, encrypting it before sending it out via pfSense’s WAN connection (e.g., 10.99.1.0/24 subnet on Unifi) and eventually exiting through Unifi’s WAN1 (your ISP connection).

Here’s a simplified representation of the traffic flow:

Client devicepolicy-based routing–> Unifi WAN2 (10.99.3.10) –> pfSense subnet (10.99.3.0/24) (via pfSense Interface [10.99.3.15]) –> VPN Gateway (traffic encrypted) –> pfSense WAN (10.99.1.15) –> Unifi “pfSense WAN” subnet (10.99.1.0/24) –> Unifi WAN1 (ISP)

Preparing pfSense

This guide assumes you’ve already set up a VPN client on pfSense and configured the necessary NAT rules.

Setting the Interface

  1. Create a new interface and subnet for Unifi’s WAN2 connection: Interfaces > Assignments > select an available Network port > Add.
  2. Configure the new interface: Enable the interface and assign a static IP address within a subnet that won’t clash with existing Unifi/pfSense subnets (e.g., 10.99.3.15/24). Ensure the CIDR allows communication between Unifi WAN2 and the pfSense address.

Outbound NAT Rules

  1. Switch the outbound NAT mode to Hybrid: Firewall > NAT > Outbound > select Hybrid > Save.
  2. Create rules to direct the Unifi subnet traffic to the VPN. You’ll need rules for both regular traffic and ISAKMP traffic: Localhost to VPN rule, ISAKMP Localhost to VPN rule, LAN (Subnet) to VPN rule, ISAKMP LAN (Subnet) to VPN rule.
  3. Adjust the rules with your specific VPN interface, subnets, and gateway information.

Firewall in pfSense

  1. Create an allow rule for the new interface: Firewall > Rules > select your new interface > Add > allow traffic from any source/port to any destination/port > under Advanced, set the gateway to your VPN gateway > Save.
  2. Create a block rule for the new subnet to prevent unencrypted traffic leaks: Firewall > Rules > select your new interface > Add > under Source, input your subnet (e.g., 10.99.3.0/24) > Save.

Preparing Unifi

Assign WAN2

  1. Configure Unifi’s WAN2: Settings > Internet > select the second WAN option.
  2. Connect the cable from your pfSense interface to the WAN2 port.
  3. Set a static IP address within the designated subnet (e.g., 10.99.3.10) and use the pfSense static address as the gateway (e.g., 10.99.3.15) > Save.

Policy-Based Routing

  1. Set up the routing rule: Settings > Traffic Management > Routes > Create New Route.
  2. Define the traffic to be routed. For instance, select your IoT subnet as the source and WAN2 as the destination.

All traffic routed through WAN2 will now be encrypted through your VPN.

Licensed under CC BY-NC-SA 4.0