Routing PIA VPN to select devices on LAN
-
Ok, I did all of this. I noticed your screencap shows the destination 'Invert Match' is not checked, but your instructions say to check it. It seems to work when it is checked, should I uncheck it?
Thanks. Don't use that rule often..I fixed it.
Basically, if the VPN fails for whatever reason I want the device(s) routed to VPN to stop connecting to the internet, period, until the VPN is restored.
Hint: copy button- rule u made above, rule action-reject, gateway wan, place under previous rule. If it works, tell us.
-
Basically, if the VPN fails for whatever reason I want the device(s) routed to VPN to stop connecting to the internet, period, until the VPN is restored.
Hint: copy button- rule u made above, rule action-reject, gateway wan, place under previous rule. If it works, tell us.
That did not work, after VPN service is stopped the device that is assigned the VPN IP reverts back to local ISP.
-
If you want the devices routed to VPN to stop connecting to the internet until the VPN is restored, you have two chances:
1- in System/Advanced/Miscellaneous check "Skip rules when gateway is down"
2- follow this guide https://www.infotechwerx.com/blog/Prevent-Any-Traffic-VPN-Hosts-Egressing-WAN
The difference is that the first solution affects all the system gateways, while the second one only those selected by you.
There is only one active VPN client in my system, so the first solution is more simple for me.
If there were more (eg. guest wi-fi) and I would have different behaviors when a VPN connection drops I should use the second option. -
If you don't want these vpn devices to have internet while your vpn is down, then in your rules don't allow those devices to use your rules that allow other access for your other devices..
This is how policy routing would work out of the box depending on how you did your rules.. Post up these rules you created to policy route your devices out the vpn.. Sure if you have rule after your policy around that includes the devices you want to go out the vpn, then yeah they would be go out the normal path when vpn is down.
Just block them from using that rule.. After your policy route, create rule that just blocks them.. If your policy route isn't working then there is no way they can go your say default any any rule at the bottom.
-
This is how policy routing would work out of the box depending on how you did your rules.. Post up these rules you created to policy route your devices out the vpn.. Sure if you have rule after your policy around that includes the devices you want to go out the vpn, then yeah they would be go out the normal path when vpn is down.
Just block them from using that rule.. After your policy route, create rule that just blocks them.. If your policy route isn't working then there is no way they can go your say default any any rule at the bottom.
I am attaching my rules. The REJECT rule is based off of the hint that pf3000 gave me.
-
About the reject rule, are you sure WAN_DHCP is the default gateway?
Take a look in System / Routing / Gateways -
About the reject rule, are you sure WAN_DHCP is the default gateway?
Take a look in System / Routing / GatewaysI checked. Both WAN_DHCP and WAN_DHCP6 are default.
-
why are you setting a gateway on that reject rule?
-
-
If you want the devices routed to VPN to stop connecting to the internet until the VPN is restored, you have two chances:
1- in System/Advanced/Miscellaneous check "Skip rules when gateway is down"
2- follow this guide https://www.infotechwerx.com/blog/Prevent-Any-Traffic-VPN-Hosts-Egressing-WAN
The difference is that the first solution affects all the system gateways, while the second one only those selected by you.
There is only one active VPN client in my system, so the first solution is more simple for me.
If there were more (eg. guest wi-fi) and I would have different behaviors when a VPN connection drops I should use the second option.Very helpful. I followed the guide in the second option and it works as described!
The only issue I need to resolve now is DNS leaking.
-
I solved the DNS leak enabling the DNS resolver and placing in the LAN tab the following rules
 -
I solved the DNS leak enabling the DNS resolver and placing in the LAN tab the following rules
How do you enable the DNS resolver? Are you creating another rule from the Firewall->Rules->LAN page? Are both of the rules in your screen shot at the bottom of the list?
My rules page is attached. I don't have any rules relating to DNS Allow/Block.
-
What do you think is leaking?? Yeah if you ask pfsense for dns, and it resolves it or even forwards it which is what it is designed to do..
If you do not want your IPs to not talk to pfsense, or use the internet then create a rule.. How is this not clear?? with your rules you have posted.. If you set pfsense to ignore rules when gateway is down then than your traffic from your clients you want to use the vpn will just go to the next rule that says go out to internet via anyway pfsense is connected, its default route, etc. sure your can ask pfsense anything..
If you don't want they said clients to do that, then under the rule that sends them to vpn gateway create a rule that will trigger on their IPs that blocks what you do not want them to do.. If you don't want them to talk to anything then the rule would be block/reject dest any..
-
What do you think is leaking?? Yeah if you ask pfsense for dns, and it resolves it or even forwards it which is what it is designed to do..
If you do not want your IPs to not talk to pfsense, or use the internet then create a rule.. How is this not clear?? with your rules you have posted..
Sorry, I am clearly new to this, I have only been using pfsense for a week now.
When I am using the VPN connection with PIA and I check my IP it is showing an IP on the server I have chosen, Seattle WA in my case… but when I run the DNSleaktest it shows my local ISP address. Isn't that a DNS leak?
-
I'm sorry if my short answer may have made confusion.
Surely what is written by johnpoz is totally correct.
Going back to my answer, I activated the DNS resolver from Services->DNS Resolver->General Settings then I added the two previous rules in Firewall->Rules->LAN placing them immediately after the Anti-Lockout Rule.
This way I avoided that all devices on my network can use a DNS that is different from what was set in pfSense which is, in my case, the VPN provider's DNS because in System->General Setup I did not set any DNS. -
I'm sorry if my short answer may have made confusion.
Surely what is written by johnpoz is totally correct.
Going back to my answer, I activated the DNS resolver from Services->DNS Resolver->General Settings then I added the two previous rules in Firewall->Rules->LAN placing them immediately after the Anti-Lockout Rule.
This way I avoided that all devices on my network can use a DNS that is different from what was set in pfSense which is, in my case, the VPN provider's DNS because in System->General Setup I did not set any DNS.Cool. Would you mind posting those DNS rules 'edit' pages. Just want to make sure I am configuring them correctly. Thanks
Attached are mine, something isn't set right… still getting DNS leak.
 -
You're welcome.
Here it is.
 -
You're welcome.
Here it is.That's what I have. I edited my last post to include the screenshots. Not sure what I am missing.
-
You will have the same result even using a single rule.
Does it work for you?
https://dnsleaktest.com/
-
You're welcome.
Here it is.That's what I have. I edited my last post to include the screenshots. Not sure what I am missing.
I don't see anything strange.
Here the other settings in my system.
