After About 5 Days I get this: openvpn[5531]: RESOLVE: Cannot resolve host addre
-
OK so (Note: EU Do NOT NAT is on top)
TEST 1:
ALL floating rules disabled -> USA DO NOT NAT unchecked -> USA VPN disabled = USA machines can ping / EU machine will not pingTEST 2:
ALL floating rules disabled -> USA DO NOT NAT unchecked -> EU VPN disabled = USA machines can ping / EU machine will not pingTEST 3:
ALL floating rules disabled -> EU DO NOT NAT unchecked -> EU VPN disabled = USA machines can ping / EU machine will not pingTEST 4:
ALL floating rules disabled -> EU DO NOT NAT unchecked -> USA VPN disabled = USA machines can ping / EU machine can pingTEST 5:
ALL floating rules disabled -> ALL DO NOT NAT unchecked -> USA VPN disabled = USA machines can ping / EU machine can ping -
Figured it out. The problems was that under Firewall -> Rules -> Lan, proto was set to "TCP" on both VPN's, I changed proto to "Any" and now if one vpn goes down the other one still works.
-
How to use Policy Based Routing and Multi VPN
-
I Followed this guide http://www.komodosteve.com/archives/232
-
NOTES: I used the same server port for both VPN's
-
NOTES: I added the following commands into Advanced Config (When pfSense first boots it loads VPN_IP_#1 but if the client gets restarted it will randomly pick of the the 3 VPN_IP's
-
SCREENSHOT: OpenVPN Client 1
-
SCREENSHOT: OpenVPN Client 2
remote_VPN IP_#1 Port#;
remote VPN_IP_#2 Port#;
remote VPN_IP_#3 Port#;
remote-random;-
SCREENSHOT: System Gateways
-
This is where you will setup two aliases for the USA VPN's and EU VPN's
-
Make sure you have static IP address for the machines
-
I made 3 rules (1 that redircts the EU vpn through the EU gateway, 1 that redirects the US vpn through the US gateway, and 1 that selects every other IP address not specified in aliases and sends it to the defualt WAN gateway)
-
Proto: ANY, Source: Alias, Gateway: VPN
-
SCREENSHOT: Firewall Rules 1
-
SCREENSHOT: Firewall Rules 2
-
First delete all rules
-
Select "Automatic outbound NAT rule generation" and click save
-
Select "Manual Outbound NAT rule generation" and click save
-
This should auto created any rules needed for the VPN's
-
Now create a rule that will stop traffic if the VPN is down
-
Click "Do not NAT", Interface "WAN", Protocol "any", Source "Alias"
-
MAKE SURE you move the rule to the top of the list as pfsense carries out rules from top down
-
SCREENSHOT: Firewall NAT Outbound 1
-
SCREENSHOT: Firewall NAT Outbound 2
-
Action "Block", Interface "WAN", Direction "any", Protocol "any", Source "alias"
-
SCREENSHOT: Firewall Rules Floating 1
-
SCREENSHOT: Firewall Rules Floating 2
-
This along with with #5 will block your machine from going to internet
 -
-
Screenshots
 -
Sounds about right ;) Glad I could help :)
-
Screenshots
 -
screenshots
 -
Screenshots
 -
Hah now the topic went from cannot resolve address to…..... how to make policy based routing with multiple vpn clients.......
-
Yeah, I was going to rename the first post but I guess it doesn't let you modify the first post… Ill start a new thread as well lol. Thanks again m3ki!
-
Any time :)
Next steps to think about…... you can also forward certain ports, protocols, domains...... to go to vpn........ etc.... moar fun!
-
is it be possible to setup a rule that let certain websites go through the USA vpn even if I am using the machine on the EU vpns????? :D
-
Lol yes I think so, remember rules go top down.
So if rule us caught before bottom one that one is executed.ie.
1. If source…. EU, DESTINATION = google.com then US
2. if source EU, DESTINATION * then EUso #1 will be executed. you can also use ! in front of ip etc..... which will mean if not this then that..
The only issue is i think domain names wont work... and you may have to use ip address instead.
-
oh this is exciting!
-
Haaahhahahaha I have created a monster!
-
The problem is still there even after making all the changes. The annoying thing is that when the US VPN is in this reconnecting process, it kills all other internet connection even the EU VPN and normal WAN, however; if all the VPN's are up and running normally and then I disable the USA VPN, the EU VPN and normal WAN work just fine… My entire VPN client setup (with pictures) is shown on page 3. Does anyone have any ideas?
Nov 2 06:39:26 openvpn[97331]: SIGUSR1[soft,init_instance] received, process restarting Nov 2 06:39:26 openvpn[97331]: RESOLVE: Cannot resolve host address: us-east.privateinternetaccess.com: hostname nor servname provided, or not known Nov 2 06:39:26 openvpn[97331]: RESOLVE: Cannot resolve host address: us-east.privateinternetaccess.com: hostname nor servname provided, or not known Nov 2 06:39:26 openvpn[97331]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Nov 2 06:39:26 openvpn[97331]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Nov 2 06:39:24 openvpn[97331]: SIGUSR1[soft,init_instance] received, process restarting Nov 2 06:39:24 openvpn[97331]: RESOLVE: Cannot resolve host address: us-midwest.privateinternetaccess.com: hostname nor servname provided, or not known Nov 2 06:39:24 openvpn[97331]: RESOLVE: Cannot resolve host address: us-midwest.privateinternetaccess.com: hostname nor servname provided, or not known Nov 2 06:39:24 openvpn[97331]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Nov 2 06:39:24 openvpn[97331]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Nov 2 06:39:22 openvpn[97331]: SIGUSR1[soft,init_instance] received, process restarting Nov 2 06:39:22 openvpn[97331]: RESOLVE: Cannot resolve host address: us-west.privateinternetaccess.com: hostname nor servname provided, or not known
-
What if EU goes down does it bring down us one?
-
If I disable the EU VPN the US VPN works.
-
Is the only difference between our VPN client config, you use strongvpn and you use number IP addresses instead of the letter ip address?
-
I figured out the Cannot resolve host address problem:
PIA only supplies domain names and not ip address. The domain names will work initially but after about a week it seems PIA requires you to renew your lease? At that point pfSense is unable to reconnect to the VPN. If you change all the domain names to ip address then everything works just fine. I am sure if you are part of this forum you can figure out how to find the PIA ip addresses but if you cannot figure it out contact PIA and they will tell you how.