VLAN Rules?

Velcro

Thanks for that follow up…

I have attached screen shots of my "Manual Outbound NAT rule generation" configuration, I referenced the VPN provider guide(which indicated duplicating each rule). The pfSense Hangout video however indicated the "Hybrid" approach as an alternative. Should I "turn on" any of these rules I turned off?

Thanks again...

(I am not sure what I should or shouldn't share in terms of my IPs on the forum so I blocked them all. Also I have no entries in "Port Forward", "1:1" or the "NPt" tabs.)

![Outbound NAT.png](/public/imported_attachments/1/Outbound NAT.png)
![Outbound NAT.png_thumb](/public/imported_attachments/1/Outbound NAT.png_thumb)
![Outbound NAT cont..png](/public/imported_attachments/1/Outbound NAT cont..png)
![Outbound NAT cont..png_thumb](/public/imported_attachments/1/Outbound NAT cont..png_thumb)

johnpoz

Dude how can I help you if your going to hide rfc1918 address space??

I have no idea what guide your using for your vpn service.. But there is zero reason to have to do all that..

Here is my outbound nat rules.. See the 1 rule that is created that allows me to send my 192.168.3 network out the vpn if I so desire.

vpnoutboundnat.png_thumb

Velcro

Thanks Johnpoz…

I have attached my NAT screen shots...I have seen others on the forum "obscure IPs" so I was just following suite. I am too green to know what can be leveraged and what can't...

I see you used the "hybrid"...I used the "manual" guide provided by PIA.

Thanks again for the help...definitely willing to make the changes needed.

Update

Here is the link:
https://www.privateinternetaccess.com/pages/client-support/pfsense

![NAT Outbound.png](/public/imported_attachments/1/NAT Outbound.png)
![NAT Outbound.png_thumb](/public/imported_attachments/1/NAT Outbound.png_thumb)
![NAT Outbound contd..png](/public/imported_attachments/1/NAT Outbound contd..png)
![NAT Outbound contd..png_thumb](/public/imported_attachments/1/NAT Outbound contd..png_thumb)

johnpoz

"I have seen others on the forum "obscure IPs"

Sure if its a public, or global IPv6 sure.. But rfc1918 would be like telling me your house is blue, and thinking I could track you down from that ;) There is ZERO reason to try and obscure those..

"I see you used the "hybrid"…I used the "manual" guide provided by PIA."

and pointless!! And even if you were going to do it manual.. Why would you create individual rules for each network using the same interface? You can combine those into 1 rule, or for that matter combine your source network via 1 cidr like 192.168.0.0/16 so you only have 1 rule.

Thought your whole point to this thread was to reduce your rules ;) Not make multiple pages of outbound nats ;) hehehe

Velcro

Definitely want to keep my rules manageable…

I'll go back to my NAT and go back to the Hang out videos(well worth the gold member ship...well worth the $99 membership) and change this to a "hybrid" vs "Manual".

With my current config. should I just change the "DNS rules" to the WAN gateway in all my VLAN interfaces? update added I would think a DNS request via a VPN is more private?

I have learned a lot from this thread, although I also have more questions! All good!

Thanks again for your help...unfortunately I can't upload you a beer but thanks again!

johnpoz

well your rules once you change the gateway on the allow to 53, this will allow what is in your alias to access pfsense dns.
Then block all other access to pfsense any IP or port.
The allow stuff in your alias to access tcp 80/443 only through your vpn.

Velcro

Wow!

Talk about reducing "rule bloat"! Managed to reduce all my rules…

Notes:

Reduced my Outbound NAT rules from 28 to 1
Reduced my Interface rules from 11 per interface to 3
DNS Leak test (DNSleaktest.com) still shows no leaks…not sure what that is worth!
update Not sure if I can quantify this but I have never seen my CPU usage so low!

I have attached screen shots of my new VLAN rules…

Thank you Johnpoz…your a good person! I want to test this more but I think I can take this security now to another level.

(All - Support the cause and become a Gold Member! Again well worth the $99!!!)

![NAT rules.png](/public/imported_attachments/1/NAT rules.png)
![NAT rules.png_thumb](/public/imported_attachments/1/NAT rules.png_thumb)
![Updated VLAN rules.png](/public/imported_attachments/1/Updated VLAN rules.png)
![Updated VLAN rules.png_thumb](/public/imported_attachments/1/Updated VLAN rules.png_thumb)

johnpoz

So do you have pfsense forwarding for dns? If your clients are asking the resolver for dns, and its actually resolving. Your IP is going to show up in dnsleaks because your actually resolving so the queries for dns to the authoritative servers will come from your IP.

dns leaks is just the new hype word to scare the kids that don't really have a clue..

Velcro

I am currently using the default DNS Resolver(Services->DNS Resolver->General Settings) as follows:

Network Interfaces set to “ALL”
Outgoing Network Interfaces set to “Open VPN” ONLY

My “DNS Server” field in DHCP Servers(Services->DHCP Server->”Each Interface”):

All are empty except my Apple TV VLAN which still shows OpenDNS IPs

My DNS Server field in General setup (System->General Setup) are all blank.

My next goal was to dive into pfBlockerNG to see if I can get some additional security benefits. I have a few key “Add-ons” in my Firefox browser which seem to provide similar functionality…was hoping to check this out more. I tried a few DNS leak tests but I agree it didn't seem overly assuring…

johnpoz

"* Outgoing Network Interfaces set to “Open VPN” ONLY"

Ah - yeah this would send all your dns queries to the authoritative servers via your vpn connection. So yeah it would show that IP as the dns server.

Velcro

Thanks again Johnpoz!