Port Forwarding stopped working after upgrading to 2.8.0

comet424

and here is where i re activate the VPN rule in rules LAN
this is on the ubuntu VPN clients side

the web gui points to cloudflare but the dns command line points to a PIA dns and ISP DNS

and this is the custom options for the one vpn

persist-key;
persist-tun;
remote-cert-tls server;
reneg-sec 0;
auth-retry interact;
dhcp-option DNS 10.0.0.243;

a few minlater the isp shows up on dnsleaktest website on VPN Clients

some articles videos use ; and some remove it so i dunno whats right

i followed both lawerenc System Videos neither use dns resolver and they dont address dns of ISP showing up on the vpn side or cloudflare
https://www.youtube.com/watch?v=ulRgecz0UsQ
https://www.youtube.com/watch?v=TglViu6ctWE

and i followed this sheridan guy but also doesnt cover dns resolver or dns of isp or cloudflare showing up on the VPN side
https://www.youtube.com/watch?v=ffVPOaLCuMQ

i followed this guys tutorial. doenst use Dns Resolver.. but also sets the PIA interface to use the WAN NAT Address. in NAT Outbound.. where others use PIA Interface to go out the PIA NAT Address.
https://www.youtube.com/watch?v=SckOaNfptAA

so unless i really messed up somewhere i dont know why they show up on the vpn as dnsleak.com also says leakage..
i even left them messages on how to stop the leakage

and PIA customer service isnt willing to help.. they just stop replying and say go ask the community for help

also whats funny if i disable the VPN so the vpn clients use WAN connect
the windows machine gets the ISP DNS... but the ubuntu dnsleaktest website keeps pulling cloudflare.. but the command line will just pull the isp dns.. i guess ill try again restart from scratch and just setup the vpn and wan and a couple ips not the whole network.. as i cant figure it why things dont work and ill just do 1 check box at a time and test cuz its gotta be just 1 check box.. one semi colon something in the wrong spot thats doing it...

stephenw10

OK so your block rule to prevent leak relies on tagging traffic from clients. Where is that being tagged?

Can you search in the HD site before you added any of the VPN stuff? If looks more like something is blocked there. Like maybe you have pfBlocker with DNSBL enabled that's blocking something required for that serach. Enabling the VPN with external DNS bypasses that.

comet424

@stephenw10 oh i guess i should labeled the screen shots like sections

so the WAN has the TAGGED section

and the VPN uses the TAG screen shot so

and i tried this morning and desktop windows seems to be working i let it rest cuz filter reload states reset ipconfig /flushdns didnt do anything..

so ill test more to see if its the pfblocker if it fails later today

and i have question if you have say 3 computers behind WAN or behind VPN and you run dnsleaktest should they not all respond with the exact same dns server? as my desktop comes with my ISP windows machine... ubunutu comes back with cira-cloud1 dns Firefox docker comes back wit cira-cloud dns or sometimes it comes back with cira-cloud1 plus my DSL dns

and on the VPN side i get the screen shots i sent i get vpn datacamp but also the ISP dns,, or on ubuntu i get Cloudflare and a windows machine i get cira-tsi.tor.teksavv... dns

so i confused cuz dnsleaktests tell me i leaking gui dnsleak tests show different from the command line dnsleaktest

does the semi colon in the vpn custom options matter? as some use it some dont use it

and does it matter what dns shows up on the vpn side if you block the vpn traffic going out the wan.. i asked PIA customer service they never bothered to even get back to me poor service. should stuck with nordvpn

stephenw10

Hmm, just to be clear you are taking about OpenVPN clients configured in pfSense? Conneting to PIA? Not a remote access OpenVPN server in pfSense?

The firewall rules applying the tags to traffic would need to be on the interface where traffic enters the firewall. So on LAN or some other internal interface.

And are you running any sort of DNS filtering like pfBlocker?

comet424

@stephenw10 hi
so i tested ya that pf blocker is causing Home Depot Search not to work right so i guess they block home depot search engine ips however that works.. i tested over a couple days now where i had it enabled and let it rest or just reconfigure on its own.. and and boom cant search home depot site .. i unblock it and in a few minutes i able to search on the home depot site.. so one of the ips shouldnt be blocked but dunno how you check that

as for the openvpn i have a few

so i have
WAN --- clients no vpn
PIA OpenVPN USA --- clients to use vpn
PIA OpenVPN Canada -- clients to use VPN
Site To Site OpenVPN -- connect to my sisters Pfsense constant connection
Remote Access OpenVPN -- to let me log into my network from my cell phone or laptop

so firewall rules all i have is the No wan egreess so the PIA VPN cant go out the WAN connect
i do have the pfblocker off currently
and for DNS i set it to ALL All for inbound outbound..
and the LAN i have it set so the VPN Clients go out the PIA OpenVPN and the WAN go out the rest of the network..

but even with that set on the PIA VPN side i get the isp or the other dns ips as you seen in the screen shot

now if there is other firewall routing i dont know them.. i only know how from the videos i posted..

stephenw10

You can look at the block logs in pfBlocker. It's probably a DNS entry rather than an IP that's blocked. Try disabling lists until it's accessible again.

comet424

@stephenw10 are the lists the items under Feeds? where there is white section some gray and green high lighted areas

if so i going to try to see if to disable them?

stephenw10

Yes the feeds contain the block lists for IPs and domains.

comet424

@stephenw10
so i played with it.. i havent got it to unblock..
i found deleting the dnsbl.log i delete then i go off that log... i then hit refresh on the home depot site
and then go back to dnsbl.log file
i get

DNSBL-Full,Aug 29 09:40:01,cdn.cookielaw.org,192.168.0.49,-|PRI|HTTP/2.0|-,DNSBL,DNSBL_ADs_Basic,cdn.cookielaw.org,StevenBlack_ADs,+
DNSBL-Full,Aug 29 09:40:01,cdn.cookielaw.org,192.168.0.49,-|PRI|HTTP/2.0|-,DNSBL,DNSBL_ADs_Basic,cdn.cookielaw.org,StevenBlack_ADs,-
DNSBL-Full,Aug 29 09:40:01,www.googletagmanager.com,192.168.0.49,-|PRI|HTTP/2.0|-,DNSBL,DNSBL_ADs_Basic,www.googletagmanager.com,StevenBlack_ADs,+
DNSBL-Full,Aug 29 09:40:01,dpm.demdex.net,192.168.0.49,-|PRI|HTTP/2.0|-,DNSBL,DNSBL_ADs_Basic,dpm.demdex.net,StevenBlack_ADs,+
DNSBL-Full,Aug 29 09:40:01,bid.g.doubleclick.net,192.168.0.49,-|PRI|HTTP/2.0|-,DNSBL,DNSBL_ADs_Basic,bid.g.doubleclick.net,StevenBlack_ADs,+
DNSBL-Full,Aug 29 09:40:01,googleads.g.doubleclick.net,192.168.0.49,-|PRI|HTTP/2.0|-,DNSBL,DNSBL_ADs_Basic,googleads.g.doubleclick.net,StevenBlack_ADs,+
DNSBL-Full,Aug 29 09:40:01,www.google-analytics.com,192.168.0.49,-|PRI|HTTP/2.0|-,DNSBL,DNSBL_ADs_Basic,www.google-analytics.com,StevenBlack_ADs,+
DNSBL-Full,Aug 29 09:40:01,www.googleadservices.com,192.168.0.49,-|PRI|HTTP/2.0|-,DNSBL,DNSBL_ADs_Basic,www.googleadservices.com,StevenBlack_ADs,+
DNSBL-Full,Aug 29 09:40:01,d.impactradius-event.com,192.168.0.49,-|PRI|HTTP/2.0|-,DNSBL,DNSBL_ADs_Basic,d.impactradius-event.com,StevenBlack_ADs,+
DNSBL-Full,Aug 29 09:40:02,cdn.quantummetric.com,192.168.0.49,-|PRI|HTTP/2.0|-,DNSBL,DNSBL_ADs_Basic,cdn.quantummetric.com,StevenBlack_ADs,+
DNSBL-Full,Aug 29 09:40:02,cdnssl.clicktale.net,192.168.0.49,-|PRI|HTTP/2.0|-,DNSBL,DNSBL_ADs_Basic,cdnssl.clicktale.net,StevenBlack_ADs,+
DNSBL-Full,Aug 29 09:40:02,c.go-mpulse.net,192.168.0.49,-|PRI|HTTP/2.0|-,DNSBL,DNSBL_ADs_Basic,c.go-mpulse.net,StevenBlack_ADs,+

i click the check mark and it goes into that specific settings i set the STATE to OFF and saved

but still blocks still shows the same stevenblack ads so i havent narrowed it or figured how to edit each of those but those show up for home depot search engine

comet424

guess back to testing... after a reboot of pfsense i can search again on the HD site with that disabled.. will test more to see if it comes back..

havent solved how the isp dns or cloudflare dns show up on the vpn side as it says you maybe leaking
i gave up trying for now

jsut working on this pfblocker

comet424

@stephenw10 i was able to figure out which pfblocker site was messing up home depot
its
cdn.cookielaw.org
it also screws up the cnn webpage too.. i had to find a video how you allow blocked lists. on pfblockerng.. so i got that solved

so my other issues still if the cira-cloud or cloudflare or isp shows up on your vpn side but you do not allow traffic of the vpn out the wan... does what you do on the vpn get tracked.. pia vpn customer support never bothered to email back.. as i still cant get these dns;s off the vpn side even when i tell pfsense to use 10.0.0.243

i use
103.86.99.100 in dns general for wan_ppoee to keep my internet connection alive.. if i dont it looses that dns and then nothing seems to work.. even if i dont have Enabled Forwarding of the DNS checked off in dns resolver

Gertjan

@comet424 said in Port Forwarding stopped working after upgrading to 2.8.0:

i had to find a video how you allow blocked lists. on pfblockerng..

Hover your mouse over de black + (plus) and read the popup.
Click on the + and follow the instructions to whitelist, my example in the image : incoming.telemetry.mozilla.org

Btw : no need to allow blocked lists.
If you want to allow a list, just remove that list.

comet424

@Gertjan ah ok ya thats what i had done.. and it then i did the add to the whitelist..
thats what i ment i done.. my stupid dyslexia i dont always explain things right..

but ya how i figured out in the end that website makes home depot usless to search anything...

you dont happen to know about if different dns's on the vpn side if its leaking or not if it doesnt go out the wan.. i havent found an answer yet

Gertjan

@comet424 said in Port Forwarding stopped working after upgrading to 2.8.0:

you dont happen to know about if different dns's on the vpn side if its leaking or not if it doesnt go out the wan.. i havent found an answer yet

I don't know if my DNS leaks ....
I use the pfSense resolver as a resolver ( duh ... ) so it forwards my TLD requests to a official 'one-and-only' Internet Root Server (there are 13 of them). From there, it contacts a TLD so it gets the addresses of the official domain name servers, as I like to ask nsx.facebook.com what the IP of www.facebook.com is.
To make a long story short : why should I ask Paul for the phone number of Jack ? Isn't it preferable to ask jack directly ?
Resolving means you can get a possible bonus : DNSSEC, if available, will protect you.

Down side : it's a couple of ms slower, but ones the answer is cached in the resolver, it will keep the asnwer ready for you until you lose power.
Also : request are send in the open : like, to a root server : "gime the address of a dot com server (= TLD) ?" and then the request to the TLD : "gime the NS of facebook.com ?" and then the request to one of these NSs : gime the IPv4 of www.facebook.com".
So true : some one knows now I visited facebook ....

VPN : never used it / no need for it. All my traffic, except for the DNS, is already TLS encryped/protected. Afaik, there isn't much none TLS left these days.

So, nothing leaks for me ^^

stephenw10

f you have Unbound set to use the VPN for outbound connections hen you need to have at least one other DNS server configured in general setup and pfSense set to fall back to remote servers in order to resolve the VPN servers initially.
You should not see that server in a leak test from clients though unless they are not using either Unbound in pfSense or being passed the VPN DNS servers. Or not being routed over the VPN at all.

comet424

@Gertjan ah ok i think i understand..
ya i use dns resolver i set mine to All/all for inbound and outbound.. and use a no wan egress and in the vpn options i set the dns server of the pia vpn and since i have a lancache server i got told to uncheck the dnssec but even if i check it... dnslesttest still points to cira-cloud or my isp etc.. so i never know if my vpn i paying for is secure or if it just going out the vpn and big deal my isp is dns resolve from dnsleattest as its going through the vpn first ..

i tried to ask pia vpn customer support . but cuz i asked for help for pfsense they just ignore me tell me they not going to help me to ask the communities for answers .. so its like a vicious circle lol

i feel i not leaking but the dnsleak tests and dnsleak websites tell you you might be leaking so i always confused if i am or if i not

comet424

@stephenw10 so right now

i use inbound/outbound set to ALL
i have to set an ip address in the general setup.. as my internet still goes down from the isp.. but if i stop computers from doing anything it will bounce back to work again not like before it i loose it all.. but even with all all and if i dont put an ip address in general/setup i find when the modem say it stalls out it doesnt recover till i do a reboot of pfsense..

and i use nordvpn ip address in the general/setup and i get cira-cloud as a dns leak test on vpn side

if i use 1.1.1.1 for wan_ppope

i then get cloudflare on vpn dns leak tests

comet424

and if i just set
outbound on dns resolver to the pia vpn... i set no forwarding.. and i dont have an ip in the general setup... i can get a pia vpn dns i guess but my internet stalls out and stops working and i loose dns resolving all i can do is ip pinging...

so i havent found that sweet spot of i know 100% not leaking internet will always work for wan and vpn clients.

and even if my modem stalls it will bounce back without needing a reboot or so..

stephenw10

Ok so what are clients on the internal network that uses the VPN being passed to use for DNS?

Is all their traffic being routed over the VPN?

comet424

@stephenw10

ya all the traffic i route through the vpn.. except like my Webserver.. some xboxs to try to stop double natting, gaming comp.. my iot devices and cameras that update through the wan but dont use vpn.. all my other devices tablets comps vms all go through the vpn.. except a few VMS that are on WAN but majority everything

so thats where i have Vpn_clients alias all those ips use VPN and ive done No_vpn_clients alias ips or i just did Lan subnet * * * * after the vpn clients..

and i have that bypass policy as i learned if i wanted to have split wan and vpn and over the network i needed to have thr routing bypass policy thats in front of everything