Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Surfshark Wireguard VPN on Guest VLAN Blocking Some Content

    Scheduled Pinned Locked Moved L2/Switching/VLANs
    3 Posts 2 Posters 147 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      PFgate
      last edited by

      Surfshark Wireguard VPN is running on my pfSense 2.8.0 Guest VLAN. It runs well. IoT devices (cameras, refrigerator) and TV devices (TVs, FireTV, etc.,) on my Guest subnet run well.

      On our Android phones, several sites/apps do not populate. That’s what I want to fix. Sites/apps that don't fully work include Strava, Suunto, and one or more news sites. I have not tested every app. The Strava app loads but data does not populate. pfBlockerNG does not appear to be blocking this content.

      When I run surfshark.com/check on my phone while connected to my Guest network, the Surfshark IP and WebRTC info is correct. However, DNS addresses do not populate and therefore the Copy to clipboard button is not enabled.

      67fb332a-413d-4b86-b19d-243ad310c59e-image.png

      9d3dc85a-1e0a-4c63-9128-23c0b265f8b1-image.png

      Guest Interface MSS clamping (MSS) is set to 1412. MTU is blank. I've tried other MSS values.

      Firewall Hybrid Outbound NAT rule.
      a982da3d-0524-4c7f-82e9-8d670d255702-image.png

      Surfshark Gateway
      46b89f5b-4e68-40af-8591-786bed568926-image.png

      Guest network Firewall rules.
      1f331361-c3ec-4e77-a36c-3a73e533ceaa-image.png

      Guest Kea DHCP servers are not set to Surfshark DNS servers. I've tried both ways.
      7825d67b-778c-4801-a752-61e10f5dd9f6-image.png

      DNS servers are not set in General Setup
      d66ff668-e5b3-4d95-9b06-a43a11f8c0d7-image.png

      DNS Resolver settings
      3348879a-bd43-4058-ab6b-b43a430a1833-image.png

      P 1 Reply Last reply Reply Quote 0
      • P
        pst @PFgate
        last edited by

        @PFgate check that IPv6 is completely disabled on GUEST, that both RA and DHCPv6 are off, otherwise clients might try and connect with IPv6. The firewall log should tell you if there has been such attempts.

        I don't know if Surfshark supports IPv6 over their Wireguard tunnels, some VPN providers do, but you would need to configure a separate gateway for that, plus a FW rule on GUEST.

        1 Reply Last reply Reply Quote 0
        • P
          PFgate
          last edited by

          Thanks! Surfshark does not support IPv6.
          DHCPv6 Server is not running on Guest

          Guest VLAN IPv6 Configuration Type is None.
          e300cdf0-d2f6-472a-bc37-67536aa7f008-image.png

          Router Advertisement Router Mode is Disabled
          585e8e78-a12d-4437-8663-7ea80d8c1555-image.png

          Added a Guest firewall rule at the top of the stack to block IPv6 traffic
          7cf2241b-4d32-4d08-9a25-75e272d7ae31-image.png

          Also tested disabling IPv6 in the APN on my phone. Didn't help.

          We're still having problems with some apps/content on our phones.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.