pfSense: Maintaining LAN access when using rule-based gateways

It is increasingly common for people to integrate the use of a VPN into their lives, for reasons as varied as maintaining access to certain services, to evading the watchful eye of invasive regimes.

Whatever the reason, we tend to find this is commonly implemented on an end-device, or for the entire connection at the router level. Some of us however, wish to implement this for specific VLANs or even specific internal IP addresses.

Coming to do this recently on pfSense, I found this particularly easy to achieve. Merely setup the VPN as you would usually, and then within the appropriate firewall section for the desired interface, create a rule which states a specific IP is to use the VPN gateway. Add a quick NAT addition to reflect the new path and all was well.

Except for one thing. Access to other internal resources was unfortunately no longer possible. I scratched my head for a long while, and utterly failed to find any online resource to assist. I suspected it may have had to do with NAT and Source IP rewriting, but was unsure.

Nevertheless, adding a rule ABOVE the redirected gateway to specifically allow access to the remainder of the VPN solved the issue.