Port Forwarding stopped working after upgrading to 2.8.0

stephenw10

You can't use the ISPs DNS servers over the VPN. They are almost certainly only available from the WAN IPs so not via the VPN.

What do you have the DNS behaviour set to in General Setup?
That's important because it determines what pfSense can use to resolve the VPN servers (assuming you are still using FQDNs).

@comet424 said in Port Forwarding stopped working after upgrading to 2.8.0:

if i have the no wan egress so no VPN traffic can go out the WAN but i get like my ISP dns on the VPN or the 1.1.1.1 on the VPN as a dns... does it matter?

You mean a firewall rule that blocks outgoing traffic on WAN? What exactly is that rule?

Does the setup work fine if you don't use VPNs at all?

comet424

This post is deleted!

comet424

so i turn off the traffic rule for vpn and the VPN traffic is going out the WAN

so guess my blocking rule isnt working in the dns leak test now you see for the VPN it went from 1 ISP and VPN DNS to now 2 ISP DNS

comet424

so when i disable the VPN

and i use the windows machine thats on the WAN

i get 1 DNS the ISP and i cant resolve a search in HD

so it doesnt work right for WAN even though i disabled the VPN

comet424

and here is where i re activate the VPN rule in rules LAN
this is on the ubuntu VPN clients side

the web gui points to cloudflare but the dns command line points to a PIA dns and ISP DNS

and this is the custom options for the one vpn

persist-key;
persist-tun;
remote-cert-tls server;
reneg-sec 0;
auth-retry interact;
dhcp-option DNS 10.0.0.243;

a few minlater the isp shows up on dnsleaktest website on VPN Clients

some articles videos use ; and some remove it so i dunno whats right

i followed both lawerenc System Videos neither use dns resolver and they dont address dns of ISP showing up on the vpn side or cloudflare
https://www.youtube.com/watch?v=ulRgecz0UsQ
https://www.youtube.com/watch?v=TglViu6ctWE

and i followed this sheridan guy but also doesnt cover dns resolver or dns of isp or cloudflare showing up on the VPN side
https://www.youtube.com/watch?v=ffVPOaLCuMQ

i followed this guys tutorial. doenst use Dns Resolver.. but also sets the PIA interface to use the WAN NAT Address. in NAT Outbound.. where others use PIA Interface to go out the PIA NAT Address.
https://www.youtube.com/watch?v=SckOaNfptAA

so unless i really messed up somewhere i dont know why they show up on the vpn as dnsleak.com also says leakage..
i even left them messages on how to stop the leakage

and PIA customer service isnt willing to help.. they just stop replying and say go ask the community for help

also whats funny if i disable the VPN so the vpn clients use WAN connect
the windows machine gets the ISP DNS... but the ubuntu dnsleaktest website keeps pulling cloudflare.. but the command line will just pull the isp dns.. i guess ill try again restart from scratch and just setup the vpn and wan and a couple ips not the whole network.. as i cant figure it why things dont work and ill just do 1 check box at a time and test cuz its gotta be just 1 check box.. one semi colon something in the wrong spot thats doing it...

stephenw10

OK so your block rule to prevent leak relies on tagging traffic from clients. Where is that being tagged?

Can you search in the HD site before you added any of the VPN stuff? If looks more like something is blocked there. Like maybe you have pfBlocker with DNSBL enabled that's blocking something required for that serach. Enabling the VPN with external DNS bypasses that.

comet424

@stephenw10 oh i guess i should labeled the screen shots like sections

so the WAN has the TAGGED section

and the VPN uses the TAG screen shot so

and i tried this morning and desktop windows seems to be working i let it rest cuz filter reload states reset ipconfig /flushdns didnt do anything..

so ill test more to see if its the pfblocker if it fails later today

and i have question if you have say 3 computers behind WAN or behind VPN and you run dnsleaktest should they not all respond with the exact same dns server? as my desktop comes with my ISP windows machine... ubunutu comes back with cira-cloud1 dns Firefox docker comes back wit cira-cloud dns or sometimes it comes back with cira-cloud1 plus my DSL dns

and on the VPN side i get the screen shots i sent i get vpn datacamp but also the ISP dns,, or on ubuntu i get Cloudflare and a windows machine i get cira-tsi.tor.teksavv... dns

so i confused cuz dnsleaktests tell me i leaking gui dnsleak tests show different from the command line dnsleaktest

does the semi colon in the vpn custom options matter? as some use it some dont use it

and does it matter what dns shows up on the vpn side if you block the vpn traffic going out the wan.. i asked PIA customer service they never bothered to even get back to me poor service. should stuck with nordvpn

stephenw10

Hmm, just to be clear you are taking about OpenVPN clients configured in pfSense? Conneting to PIA? Not a remote access OpenVPN server in pfSense?

The firewall rules applying the tags to traffic would need to be on the interface where traffic enters the firewall. So on LAN or some other internal interface.

And are you running any sort of DNS filtering like pfBlocker?

comet424

@stephenw10 hi
so i tested ya that pf blocker is causing Home Depot Search not to work right so i guess they block home depot search engine ips however that works.. i tested over a couple days now where i had it enabled and let it rest or just reconfigure on its own.. and and boom cant search home depot site .. i unblock it and in a few minutes i able to search on the home depot site.. so one of the ips shouldnt be blocked but dunno how you check that

as for the openvpn i have a few

so i have
WAN --- clients no vpn
PIA OpenVPN USA --- clients to use vpn
PIA OpenVPN Canada -- clients to use VPN
Site To Site OpenVPN -- connect to my sisters Pfsense constant connection
Remote Access OpenVPN -- to let me log into my network from my cell phone or laptop

so firewall rules all i have is the No wan egreess so the PIA VPN cant go out the WAN connect
i do have the pfblocker off currently
and for DNS i set it to ALL All for inbound outbound..
and the LAN i have it set so the VPN Clients go out the PIA OpenVPN and the WAN go out the rest of the network..

but even with that set on the PIA VPN side i get the isp or the other dns ips as you seen in the screen shot

now if there is other firewall routing i dont know them.. i only know how from the videos i posted..

stephenw10

You can look at the block logs in pfBlocker. It's probably a DNS entry rather than an IP that's blocked. Try disabling lists until it's accessible again.

comet424

@stephenw10 are the lists the items under Feeds? where there is white section some gray and green high lighted areas

if so i going to try to see if to disable them?

stephenw10

Yes the feeds contain the block lists for IPs and domains.