I need help here. I am hitting the wall. Please help a noob.
-
Here are more shots Expressvpn config.
 -
I rebooted pfsense after configuring Expressvpn and vpn is up after reboot. I then proceed to System/General setup/ DNS Server settings. (see attachments). Next is Services /DNS Resolver/General Settings including Services/DNS Resolver/Advanced Settings.
I did run DNS leaktest and it pass but I can not access some websites including Amazon (see attachment) and internet speed is slow. This is connected to Expressvpn.
I also try to install Pfsense package and its giving me error. I am currently on 2.3.5. Can not install 2.4.2 due to HPET error but let set that aside.
I did also check my ip location and its connected thru expressvpn result is Los Angeles location.
 -
I was really scratching my head. Next is to check my firewall settings (see attachment). On Firewall rules expressvpn i noticed it was empty.
I decided to click add on expressvpn firewall rules and this is how it looks like (see Attachement).
I noticed on Lan firewall lan did have some changes.
 -
This is my NAT outbound.
 -
Here are the results so far:
1. I am currently connected to my Local ISP and can be able to access sites.
2. ExpressVPN is up and connected but I am pretty sure I am not on vpn. Why? because I did check my ip location and since I am not on VPN DNS leak is the result.
3. I have not check my Roku streaming boxes yet because I am pretty sure it's going to be block.
Any suggestions guy?
-
Your NAT rules look fine. Here is a screenshot with some cosmetic edits. :P
The ISAKMP rules are unnecessary in my opinion and can be deleted. The other two edits are just to make the Description more accurate.
 -
Attach are additional information if somebody wants to know. This is my current stats.
 -
I was really scratching my head. Next is to check my firewall settings (see attachment). On Firewall rules expressvpn i noticed it was empty.
It should be empty. The way pfSense firewall rules work is they apply to traffic coming into that interface. So you probably do not want anyone coming into your home and pfSense router from the outside world through the ExpressVPN interface.
I would delete all firewall rules on the ExpressVPN interface and only use LAN rules.
-
Your NAT rules look fine. Here is a screenshot with some cosmetic edits. :P
The ISAKMP rules are unnecessary in my opinion and can be deleted. The other two edits are just to make the Description more accurate.
If I deleted ISAKMP rules, Is there any order on Mappings? or just leave it as is?
-
Your DNS Server Settings (in General Setup) should be non-ExpressVPN DNS servers that your pfSense box will use if the ExpressVPN connection goes down. It's for backup purposes only.
1. Change the DNS servers to any public resolver of your choice. OpenDNS, Level3, Verisign, Comodo, Google, etc.
2. Change the Gateway to WAN instead of ExpressVPN. (Yes, this is a DNS "leak" but only to be used by your pfSense box itself, not your LAN devices, and it's only used if your VPN fails. It's a temporary backup setting.) -
If I deleted ISAKMP rules, Is there any order on Mappings? or just leave it as is?
As is is fine.
-
I was really scratching my head. Next is to check my firewall settings (see attachment). On Firewall rules expressvpn i noticed it was empty.
It should be empty. The way pfSense firewall rules work is they apply to traffic coming into that interface. So you probably do not want anyone coming into your home and pfSense router from the outside world through the ExpressVPN interface.
I would delete all firewall rules on the ExpressVPN interface and only use LAN rules.
Expressvpn firewall rules was originaly on Lan rules "Local_Subnets = Lan Traffic expressvpn" but I can not access websites. The only thing that work for me is to move it to Firewall/ Rules/ExpressVPN which resulted to no connection to VPN.
-
Expressvpn firewall rules was originaly on Lan rules "Local_Subnets = Lan Traffic expressvpn" but I can not access websites. The only thing that work for me is to move it to Firewall/ Rules/ExpressVPN which resulted to no connection to VPN.
I say again: Your ExpressVPN interface rules should be completely empty, unless you want traffic coming INTO that interface, which I would guess is a solid "no." Leave that whole interface rules blank.
Regarding the one rule you set up: I thought you wanted to set up an alias for your three Roku devices. It's unnecessary to really set up an alias for 192.168.1.0/24 since you can just put that directly in the firewall rule.
In fact, if you want your entire LAN subnet to go out through ExpressVPN, then it's not really necessary to have that rule in the first place. Your ExpressVPN configuration should automatically pull routes.
-
I followed your suggestions on the NAT outbound. I also deleted the Firewall/Rules/EXPRESSVPN and instead put back the Firewall/Rules/Lan.
I also change System/General /Setup as suggested. I was able to connect back to expressvpn but it resulted to a slow connections. some sites are not available. Is there a way to coorect this?
Also I am not in the process of setting up the Roku yet. I just want to make sure I won't have any problem with browsing. If connection is slow on browsing I think I can not be able to stream my Rokus.
I tinker on Interface/ExpressVPN. Under general Information, IPv4 Configuration Type = DHCP. this was the instruciotns by expressvpn. If I change from DHCP to NONE, I get faster browsing but I get disconnected from VPN.
I have not use any traffic shaper for the moment fyi.
I am providing some screenshots for your perusal.
 -
I was able to connect back to expressvpn but it resulted to a slow connections. some sites are not available. Is there a way to coorect this?
Let's compare apples to apples.
1. Is your OpenVPN configuration on pfSense identical to your OpenVPN configuration on your Asus router?
2. On your Asus router, are you able to visit Amazon and other sites, or are you getting the same error message? If so, why?
3. On your Asus router (which I assume has much slower CPU than your pfSense box), is VPN throughput slow?
4. On your Asus router, are you also connected to ExpressVPN - Los Angeles?
5. Are you in Europe? Asia? Somewhere else? You may want to try out different VPN servers and see if speed improves.
6. Where did you get the config settings in "Custom options"? Also, is everything else correct such as the SHA512 HMAC?I tinker on Interface/ExpressVPN. Under general Information, IPv4 Configuration Type = DHCP. this was the instruciotns by expressvpn. If I change from DHCP to NONE, I get faster browsing but I get disconnected from VPN.
FYI: I have my VPN interfaces all set to "None."
-
I followed your suggestions on the NAT outbound.
Dude, you're tweaking mah OCD. :P I'd edit your Descriptions for sanity purposes as in my screenshot. Just two edits. "LAN to ExpressVPN" and "localhost to ExpressVPN"
-
I was able to connect back to expressvpn but it resulted to a slow connections. some sites are not available. Is there a way to coorect this?
Let's compare apples to apples.
1. Is your OpenVPN configuration on pfSense identical to your OpenVPN configuration on your Asus router?
2. On your Asus router, are you able to visit Amazon and other sites, or are you getting the same error message? If so, why?
3. On your Asus router (which I assume has much slower CPU than your pfSense box), is VPN throughput slow?
4. On your Asus router, are you also connected to ExpressVPN - Los Angeles?
5. Are you in Europe? Asia? Somewhere else? You may want to try out different VPN servers and see if speed improves.
6. Where did you get the config settings in "Custom options"? Also, is everything else correct such as the SHA512 HMAC?I tinker on Interface/ExpressVPN. Under general Information, IPv4 Configuration Type = DHCP. this was the instruciotns by expressvpn. If I change from DHCP to NONE, I get faster browsing but I get disconnected from VPN.
FYI: I have my VPN interfaces all set to "None."
1. Yes they are exactly the same as my Asus router.
2. I don't have any problem on any website on Asus on Expressvpn. In fact 1 have 3 simultaneous connections in the US.
3. Yes the throughput is slow 3 to 5 mpbs Up/down. That is the reason I want to migrate to Pfsense.
4. On the Asus I have 2 connections to Los Angeles and 1 connection to New Jersey
5. I am from SE Asia. I have tried to connect to different US servers they are almost all the same when it comes to speed. Not all Expresss vpn servers are good for geolocation blocking. so far the 3 I mention works well on my Asus.
6 I followed expressvpn link provided.
https://www.expressvpn.com/support/vpn-setup/pfsense-with-expressvpn-openvpn/
This is the custom options provided on their website.
fast-io;persist-key;persist-tun;remote-random;pull;tls-client;verify-x509-name Server name-prefix;ns-cert-type server;key-direction 1;route-method exe;route-delay 2;tun-mtu 1500;fragment 1300;mssfix 1450;verb 3;sndbuf 524288;rcvbuf 524288
Its SHA512 bit. I am not sure if its HMAC.
-
I followed your suggestions on the NAT outbound.
Dude, you're tweaking mah OCD. :P I'd edit your Descriptions for sanity purposes as in my screenshot. Just two edits. "LAN to ExpressVPN" and "localhost to ExpressVPN"
My apologies to you. I am thinking of taking some Xanax with these pfsense ordeal.
Anyway I am attaching some desktop screenshots.
 -
I finally able to solve my pfsense ordeal. It took me 15 hours to figure everything out. Geolocation blocking is finally fixed. Netflix and Hulu are working but at the moment I can not get access to Amazon website on OpenVPN.
I would like to thank Finger79 and kenjianshi for their resolute support.
I will post some instructions later the day but until I resolve Amazon DNS problem.
-
Yes - It is very odd that netflix would work but not amazon. Its probably a simple fix. We can see after you post your final configuration.
This could be a DNS issue. You might want to find out if your VPN provider has their own dedicated reliable DNS IP and use that.
The problem I have with 8.8.8.8 and 8.8.4.4 is those can connect you to many different servers depending on your location.
In my laptop off the VPN from Manila when I ping 8.8.8.8, its 30ms
When in my vpn I use my remote pfsense LAN IP as my DNS server IP. When I ping that IP, it shows about 250ms. Far away as it should be.
When I ping 8.8.8.8 in the vpn, again over 250ms. So, it is being tunneled properly.
We might want to do that test with you to be sure that the DNS servers you are connecting to are physically in the USA and not close by.
Could be something else though. Not sure. Its strange.