Introduction. VPN's are a great tool to help secure web traffic en route to and from its destination when using untrusted networks such as those found at coffee shops. Most of those untrusted networks do not use encryption and/or client isolation, therefore unencrypted traffic is easily sniffed and perhaps manipulated. VPN's are great for home use too especially if you think that your ISP is employing traffic shaping or if you just want extra peace of mind from recent news about browsing history being sold to the highest bidder. This post describes how traffic from certain IP's bypass the VPN tunnel and are routed normally to your ISP, which is handy for Netflix, since they actively block VPN's. The good news is that a split tunnel is straightforward in pfSense, really consisting of two simple steps, but I assume you already have a tunnel of some kind set up.
Step I: Create a firewall alias. Load up the pfSense UI and navigate to Firewall >> Alias and add a new alias, name it what you want and enter an entire subnet or individual IP's such as those shown below.
Step II: Create a new firewall rule. Next, navigate to Firewall >> Rules >> LAN. Here you will need to create a new firewall rule. Fill out the rule so that the Action = Pass, Interface = LAN, Address Family = IPv4, Protocol = Any. Under Source enter the Alias name you chose earlier. Under Gateway select your WAN interface, in my case the PPPOE interface. All the rest of the options can be left to their defaults. Hit Save. Next, drag the rule you just created before the VPN rule, shown below. Hit Apply.
Conclusion. If all was set up correctly, the IP's you designated in Step I should go out to the Internet regularly via your ISP and not the tunnel. Note: Your ISP may still traffic shape and collect information about this data.