thanks John. so under my computer that is 192.168.10.11 i can point to getflix DNS. That same computer on the VPN network is 192.168.40.11, i can put the AIRVPN server there? Will that prevent AIRVPN leaking my DNS? is the DNS settings under general left blank?

pfSense DNS Resolver

Similarly, if you are using pfSense’s internal DNS resolver service, you’ll want to adjust that configuration. In the pfSense web UI, go to Services > DNS Resolver, click Display Custom Options, and enter the following the the text box:

server:
private-domain: "plex.direct"

but it wasnt just this that pfsense crashed on it crashed while i was installing openvpn client exporter so i really dont know why it kept on crashing

in the end i installed OPNsense and added the custom dns config and also set up openvpn server and it all works perfect now

for the time being im going to use OPNsense but it is far less superior than pfsense

@jimp Got the image file flashed a usb stick clean reinstall succeeded. Restored my config and rebooted everything back to normal. :D Thanks again jimp.

Yes I understand that The high latency connection will run in to time outs noting you can do to change that. Cashing with unbound may alleviate some of the problems, but there are so many setting he can do that will help with a high latency. Also setting up squid would help as well. Also you may confuse him by saying forwarding mode as there are to options he can use Unbound/Resolver and Forwarder.

I just updated my pfSense in 2.4.4 and it's ok

Yes, this is true, but I'm excited to see that things are moving in the right direction. It is still possible to confirm certs visually in the logs. This feature will be a huge asset when the code matures. I'm not sure how fast the features will make it into pfSense absent another rebase. I'm hoping that FreeBSD sees fit to propagate the code back, but I don't know their policies on backporting features like that.

@johnpoz I've set the monitor of gateway to NOT action on actions, but it appears that something is happening, extreme lag is occurring on my connection:
Oct 1 21:55:24 dpinger WAN_DHCP 75.133.112.1: Alarm latency 9423us stddev 1594us loss 21%
Oct 1 21:56:42 dpinger WAN_DHCP 75.133.112.1: Clear latency 9486us stddev 1748us loss 5%
Oct 1 21:57:19 dpinger WAN_DHCP 75.133.112.1: Alarm latency 9482us stddev 1888us loss 21%
Oct 1 21:59:13 dpinger WAN_DHCP 75.133.112.1: Clear latency 9955us stddev 3258us loss 5%
Oct 1 22:00:09 dpinger WAN_DHCP 75.133.112.1: Alarm latency 9197us stddev 2324us loss 21%
Oct 1 22:01:39 dpinger WAN_DHCP 75.133.112.1: Clear latency 11927us stddev 5882us loss 5%

NOt sure what else I need to tweak. My Traffer shaper upload has been set to 7MB/s out of 10MB/s. Still seeing laging, but no disconnections.

@emirefek

Try this:

Turn off forwarding mode, and DNS over TLS in unbound, because you are going to configure it manually at the top of the "custom options" box.

Add the following text to the "custom options" box:

### TESTING DNS OVER TLS ON PORT 443 server: tls-cert-bundle: /usr/local/share/certs/ca-root-nss.crt forward-zone: name: "." forward-ssl-upstream: yes ### SERVERS on non-standard ports from: ### https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers ### ^^^ THREE EXAMPLES FOR PORT 443, CHECK LINK FOR MORE ^^^ forward-addr: 145.100.185.15@443#dnsovertls.sinodun.com forward-addr: 145.100.185.16@443#dnsovertls1.sinodun.com forward-addr: 89.234.186.112@443#dns.neutopia.org ### QUAD9 SERVERS #forward-addr: 2620:fe::fe@853#dns.quad9.net #forward-addr: 9.9.9.9@853#dns.quad9.net #forward-addr: 2620:fe::9@853#dns.quad9.net #forward-addr: 149.112.112.112@853#dns.quad9.net ### CLOUDFLARE SERVERS #forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com #forward-addr: 1.1.1.1@853#cloudflare-dns.com #forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com #forward-addr: 1.0.0.1@853#cloudflare-dns.com

Turn logging up to level 4 on the advanced options page so that you can check that server authentication is taking place. Be sure to turn logging down when you are done. I think that authentication failures may not preclude service, so it is possible that someone could MITM your connection until unbound adds functions to prevent communicating with spoofed servers. At least I recall having read at some point that the functionality isn't there yet.

@johnpoz But like I said, the route is odd as visually it looks like both routes "should" have been the same, because its bouncing around different routers to get to the same ones used in the quicker trace.

Granted, its likely this would not always be the case as Geo could "theoretically" make a difference, but its unlikely due to how UK ISPs almost always only hit the Internet in London, regardless of where you are geographically located. They just don't bother with the cost of taking the quickest route from your location to their network and all the major peering and CDNs are in London anyway.

I have a reasonable amount of experience looking into this as my old ISP was in my city and DID have their PoP within the city, using their own network. But even ISPs that did that before have fallen back onto leasing the telco virtual backhaul which again, aggregates everyone in London. Its a bit of a drag as I had a single-digit route to the Internet, but it is what it is.

If you have pfsense you have bind with a gui - its 20 seconds to install the bind package. No need for "servers" etc..

@thenarc
Thanks for the info.

Excellent! Happy to help!