Port Forwarding stopped working after upgrading to 2.8.0

comet424

if you happen to have any screen shots how to configure it to be secure even if i have split network
and better routing as these videos arent showing how to stop leaking or touch the dns resolver

comet424

@stephenw10 and i know your too busy to watch or skim videos
but these were the videos i followed where i did like that but they dont talk about leakage or dns resolver.. and i never get there results

syncbricks 1
Lawerence Systems

and i commented on there youtube videos about the setups not talking about dns leakage or dns resolver.. but they too busy to reply either

Gertjan

@comet424 said in Port Forwarding stopped working after upgrading to 2.8.0:

and i confused why my desktop pc is always pulling dns even when it should be pulling vpn

Normally, your PC, the OS, pulls the DNS from the gateway, which is pfSense.
pfSense centralized all local network ( your LAN devices ) DNS requests, and resolves from there.
Resolving means : it uses root DNS server, a TLD DNS server and a domain name server to obtain a DNS answer.
Or : Plan B : you forward to for example 1.1.1.1 : now the resolver send all traffic to this DNS resolver (= 1.1.1.1).
The resolver uses the outgoing connection, also called WAN.
Or, you could have two WAN's : the one going to your ISP, and a VPN-WAN connection. You could inform the resolver to forward to 1.1.1.1 over the VPN connection.

If you use this last solution, you still leak DNS info to .... 1.1.1.1 ^^

When I see the result of dos command "dnsleaktest" shown above it says your DNS leaks to ...
the 7 DNS Cloudflare servers you have specified yourself (?).
So, is it really leaking ? It does what you asked it to do.

I know, more questions then answer.

MoonKnight

@comet424

Maybe you are using DOH on your windows IE browser? Change it to static IP and add your DNS server IP.

Gertjan

@MoonKnight said in Port Forwarding stopped working after upgrading to 2.8.0:

Maybe you are using DOH on your windows IE browser?

True. Forgot about that one.
On any device, locally installed software can use the 'system DNS' (the one you see when typing ipconfig /all)
or
it can use any DNS other DNS is choses to use.

These days, afaik, most application (browers and others) use their 'own' DNS, totally bypassing the pfSense Resolver/DNS.
They (the browser's author) say : for your own security, and that(s not false, but mostly because they want your DNS traffic as it has a value (for them).
This traffic will flows encrypt through pfSense to whatever destination it chose to use and you can't do anything about it.
Remember : this is TLS traffic so you can't route it to somewhere else.
I would consider this also as DNS leaking ....

comet424

@Gertjan @MoonKnight

so those dnsleaktest from the command line.. is from wherever..

so first
i have the Inbound to All Outbound to 2 PIA
the dns resolver custom options i added

server:
  ssl-upstream: yes
  do-tcp: yes
  forward-zone:
    name: "."
    forward-addr: 1.1.1.1@853
    forward-addr: 1.0.0.1@853
    forward-addr: 2606:4700:4700::1111@853
    forward-addr: 2606:4700:4700::1001@853

as per serval setups i guessing you do that for when pia goes down least WAN will stay up.. as i run in the problem if i dont set an ip address in at least general setup when i have it set for just PIA outbound when the pia vpn goes down it can no longer resolve WAN,, and WAN no vpn clients then loose the internet too so does pfsense itself

so i even removed the resveration of my deskop pc from the dhcp server so it just get a random port and still pulls cloudflare... i then rebooted all my network switchs in case they held any info... and that didnt help

i even dual booted from Windows 11 to Windows 10 to test.. and command line dnsleak test is still pulling damn cloudflare.. i tried looking through all the settings in pfsense incase i had something configure.. but it doesnt matter if i remove that custom options then i get my isp on my desktop pc which is behind the vpn or cira-cloud.. like u bang your head off this

and

resolv-retry infinite;
persist-key;
persist-tun;
remote-cert-tls server;
reneg-sec 0;
auth-retry interact;
dhcp-option DNS 10.0.0.242;

thats the custom setting for PIA vpn now some offer the semi colon others dont add it i dunno if it makes a difference..

i had to look up with DOH in windows was
ii also get the cloudflare on Oprea and Google Chrome and command line dnsleaktest
and since pia customer service not willing to help just tells you find help else where basiclly it makes it also frustrating
as ever i switched from nordvpn to pia i have nothing but this leaking issue.. but frustrated for sure... i going to try and windows VM and see if i getting same cloudflare and not the vpn

and here is the dns setting in microsoft edge

comet424

oh and seems now my firefox dockers now pull cloudflare behind the vpn
i guessing its because of that custom options... after i did a server reboot.. the firefoxs are now getting like 20 cloudflare and not just vpn

this is my current dns resolver
dns resolver1.png
dns resolver 2.png dns resolver 3.png

comet424

i cant find the 2 articles now that showed those server options

but here this article i read
https://undergroundmod.com/2023/07/15/private-internet-access-vpn-on-pfsense-last-updated-08-2023/

talks about this

Important DNS Note
If you are not using DNS over TLS to a trusted, privacy oriented DNS Resolver like CloudFlare’s 1.1.1.1, then you will leak your IP over DNS and this could be a problem

To get around this, you should hard code PIA’s DNS servers on the system you are putting over the VPN. The DNS servers are 209.222.18.222 and 209.222.18.218

Be sure to check if your DNS requests are leaking your normal public IP: https://www.dnsleaktest.com/

Setting these DNS server will probably affect local DNS resolution, so you should really just use DNS over TLS…

https://www.netgate.com/blog/dns-over-tls-with-pfsense.html
You could create some NAT rules to intercept DNS requests and force them elsewhere, but it’s more work than just using DNS over TLS, which you REALLY should be doing anyway…

Thats it!

not 100% sure what that ment but i just tried enabling the Enable SSL/TLS Service in the dns resolver

i get confused cuz there isnt 1 straight setup for no leaking no issues lol makes you wanna drink

comet424

if you guys got screen shots how PIA or any VPN should be setup on the LAN like with 192.168.0.0 like i have grayed out . no_vpn_clients and vpn_clients
and what the dns resolver NAT should look like.. so i can just duplicate it.. so there is 0 dns leakage.. as these google searches arent helping

and or should i make a new post ask for anyone that has PIA and NonVPN Clients Have Screen shots for a secure network? i was hoping when i orginalyl started thread.. someone with PIA had this setup and secured and could supply screen shots..

if i ever get this solved. i going to make a thread with the right procedures so someone like me doesnt go through these headaches

stephenw10

OK adding those custom options in Unbound is forwarding all queries to Cloudflare. No matter what else you have set in the Unbound setup.

But without any DNS servers set in General setup then pfSense itself can only use Unbound. If that is configured to only use the VPN interfaces for outbound queries then it cannot resolve anything until the VPNs connect and that's a problem if the VPN servers are defined as an FQDN instead of an IP.

comet424

@stephenw10 so i running in circles..
currently this is what i got i took out those custom options
i can get it to say not leaking if i use 103 ip address which is a nordvpn dns on the WAN
but if i use 1.1.1.1 then it leaks like a ship with 20 holes in it.. i getting frustrated.. and this article at the bottom tells you to use dns over ttls.. and use like 1.1.1.1 for a secure dns leak free but its not making sense and it leaks using 1.1.1.1
this is the article
https://undergroundmod.com/2023/07/15/private-internet-access-vpn-on-pfsense-last-updated-08-2023/

this is the bottom not.. and those ips dont work

Now we have done that, you should be done. Everything on those IP’s in the alias will go over the VPN. If the VPN disconnects, no internet traffic will pass and as long as the IP doesn’t change, traffic CAN NOT go over the normal gateway

Important DNS Note
If you are not using DNS over TLS to a trusted, privacy oriented DNS Resolver like CloudFlare’s 1.1.1.1, then you will leak your IP over DNS and this could be a problem

To get around this, you should hard code PIA’s DNS servers on the system you are putting over the VPN. The DNS servers are 209.222.18.222 and 209.222.18.218

Be sure to check if your DNS requests are leaking your normal public IP: https://www.dnsleaktest.com/

Setting these DNS server will probably affect local DNS resolution, so you should really just use DNS over TLS…

https://www.netgate.com/blog/dns-over-tls-with-pfsense.html
You could create some NAT rules to intercept DNS requests and force them elsewhere, but it’s more work than just using DNS over TLS, which you REALLY should be doing anyway…

Thats it!

and here is my current setup what am i doing wrong

and the nat page ive done wan address and PIA address cuz in the 2 videos they go both directions one says use the wan address and the other says use the pia address
if you could provide pictures what i doing wrong would be good i know you probbably getting frustrated helping me on all this

stephenw10

What exactly are you counting as a leak test failure?

If you're forwarding requests to Cloudflare then DNS tests will always show Cloudflare. It just might be local servers if the query isn't over the VPN.

comet424

@stephenw10 well when i run website dnsleak.com or dnsleaktest.com and it shows more then just the piavpn dns server thats what i consider leaking..

that the wan clients should only get 1.1.1.1 dns and all vpn clients should get the 10.0.0.242 say and that the 1.1.1.1 should never show up on any of the vpn clients when i run dnsleaktest.com

and then dnsleak.com keeps saying your leaking dns

and using the nordvpn 103.x.x.x failed providing dns after a few days.. i could ping from the pfsense but not from the windows..

i did google for not logging dns' and ai generated said 1.1.1.1 1.0.0.1. and 9.9.9.9 are non logging non data keeping dns
so then that should be safe right to use on the wan.. as i been trying so long to keep everything seperate and make the dnsleaktest.com say its not leaking but i havent been able to

comet424

but i guess i wrong to figure what is ok for dns leaking and what isnt for dns leaking i just tried to make sure the tests showed i wasnt leaking