DNS Behind VPN vs not
-
@ryan29:
Is that a typo or do you actually have your main rule on the OpenVPN interface? That should be on the LAN (or Main in your case). Are you certain you're actually routing vpnclients traffic via PIA?
Which of the 3 rules are you referring to? VPNclients traffic does route via PIA (at least when I check the external IP address), but I definitely be concerned if I have made an error.
@ryan29:
How are you creating your DHCP pools? How do you assign your vpnclients into one pool and everything else into the other (ie: which is the default pool where unknown clients end up)? Can you post screenshots of your DHCP config?
If you'd like I can make a mini-howto for the way I do things (using 2.2.6). Let me know if it would be useful and I might have time to look at it a bit later today.
See attached screenshots. Do you see any issues with the way it is set up?
I don't want to put you out, but a step by step how-to would be really helpful for rookies like me!
-
I don't mind doing up a small howto. I'm documented a couple configs for myself anyway, so it's just a matter of reformatting it to post in the forum.
For your DHCP, what I was wondering is how you're assigning clients into the correct pool. For example, let's say you have two clients:
my-work-machine - should access the internet normally via the WAN my-home-machine - should access the internet via the VPNHow are you making sure my-home-machine is being assigned an IP address from your VPN IP addresses DHCP pool?
I also see you have 3 LANs set up (LAN, GUEST, MAIN). Is MAIN the only one you're trying to get working with the VPN?
-
All clients seem to get assigned into the MAIN pool by default (.120 - .189) unless I assign them a static ip address in the VPNclients pool (.20 - .40). I am not sure I specifically set this as an option anywhere, but I suspect it is a side effect of setting a subpool of addresses from the MAIN tab.
Yes, MAIN is the only LAN I am trying to get working with the VPN (it is in fact working right now, but only with the rules I outlined a few posts ago). The "LAN" LAN is not currently in use - I left it for admin access to the router - the only interface to it is via the physical LAN port on the device.
-
How are you assigning static IPs? It shouldn't be possible to use pfSense's static DHCP mappings to assign an IP within the DHCP range of an interface.
-
I am setting the static IP's in 1 of 2 ways (both seem to work):
1. I have set a list of static IPs at the bottom of the "MAIN" tab (it was cut off in my screenshot). I have set some static IPs in the VPNclients range (.20 - .40) here, and some addresses for specific devices on my LAN (MAIN) that need a static IP (I have used the .190-.199 range for this).
2. On client devices themselves, I am able to change network settings from "DHCP" to "DHCP with static address" and manually assign the device an IP address in the VPNclients range (.20 - .40). This seems to work also - when I check external IP address, I get a PIA address, and when I check for DNS server leaks, I see only the OpenDNS servers and not my ISP DNS servers.
Is there some other way I am supposed to be doing this?
-
Are you on the newest version of pfSense (2.2.6)? I just tried to add a static mapping within the DHCP pool range for my LAN and pfSense gives an error (which it should).
When you're assigning static IPs they should never use an IP that's part of your DHCP pools. For example, if you want to assign a static IP on your MAIN network, don't use anything in the ranges of your DHCP pools:
192.168.88.120 - 192.168.88.189 192.168.88.20 - 192.168.88.40So the 192.168.88.190 - 192.168.88.199 addresses you mention are the correct way of doing it.
As for the clients where you can set DHCP with static address, I've never seen that before. As far as I know, and I'm not a DHCP expert, the client can ask for a specific IP, but the server isn't obligated to assign it.
The easiest way to assign static IPs is to do it via pfSense's static DHCP mappings:
-
Go to: Status – DHCP Leases
-
Find the device you want to assign a static IP
-
Click the + sign in the rightmost column to add a static mapping
-
Give it an IP that's not in any of your DHCP ranges
That way you can leave all of your devices using DHCP and manage all the addressing from pfSense.
If the bottom of your MAIN tab shows static IP mappings in the 192.168.88.20 - 192.168.88.40 range, could you post a screenshot? As far as I know that's not supposed to be possible.
-
-
I am on the latest version of pfSense 2.2.6
I have attached a screenshot from the bottom of the tab below.
I think I see what happened - the VPNIPS tab was assigned to .20 -.40, but all the static IPs I set were between .10 and .19 (i.e. outside the VPNIP pool) - these addresses are still covered by my alias for IP addresses to be sent to PIA (.10-.40)
-
Which still brings me back to the original question of how to get all devices that have IP addresses from .10 to .40 (covered by my "VPN-IPs" alias) to use OpenDNS DNS servers rather than my ISP DNS servers, without using the firewall rules I outlined above.
Also, I am still wondering which rule that I posted might have a typo (as you mentioned a few posts ago) - I feel like I should correct this.
-
That makes sense for the DHCP stuff.
It might be easiest to wait for me to write up a howto. That way you can compare a working config to what you have and it'll probably be easier to pick out the differences.
It'll take me a while to write a good howto so, like I mentioned, it's unlikely I'll reply again until later tonight. I'll try to include a bit of explanation when I do it.
-
Appreciated!
-
Hey,
I didn't get to this yesterday, but did it today:
https://forum.pfsense.org/index.php?topic=106305.0
That's basically every step needed to configure a fresh install.
-
@ryan29:
Hey,
I didn't get to this yesterday, but did it today:
https://forum.pfsense.org/index.php?topic=106305.0
That's basically every step needed to configure a fresh install.
That guide is excellent and I thank you for taking the time to put it together. I really appreciate your help with all of this. I am going to go through each of the steps that you outlined and make sure that my setup is properly configured.
(If any moderators are reading this, I would like to suggest that ryan29's guide be sticky-ed somewhere so newbies like myself can benefit from it)