@qbhatti said in Pihole as secondary dns:

blocks some google ads so it means I cant click on shopping items or sponsored items when searching.

Seems like a problem of the ad blocking list your are using in Pihole.
You could try a safe one like OISD Basic that has no false positives.

@Antibiotic All of the PiHoles are on VLAN42. PiHole services VLANS 2,42,100 and 129.

@johnpoz dnsleaktest.com shows the IP address of my vpn provider.
whether you select standard or extended, it then shows results in the IP of my ISP connection.

my config is as follows
System DNS Servers
DNS Servers 1.1.1.1 firewall WAN
DNS Server Override unchecked
Disable DNS Forwarder checked

DNS Resolver
enable checked
Network Interfaces LAN / VLAN
Outgoing Interfaces Localhost
system transparent
DNSSEC checked
Use SSL/TLS outgoing checked
DHCP Register checked
Static DHCP checked

Advanced Privacy
Hide ID checked
Hide Version checked
Query Name checked
Prefetch Support checked
prefetch DNS key checked
harden DNSSEC checked
Experimental Bit 0x20 checked

Routing
WAN Default Route

Rules
TCP/UDP * * LAN Address DNS allow
TCP/UDP * * !Firewall DNS block

TCP/UDP * * VPNBYPASS * WAN none
TCP/UDP * * !LAN * ExpressVPN none

NAT
LAN TCP/UDP * * !LAN Address DNS LAN Addr (i found using 127.0.0.1 didn't work, but it did with LAN addr)

** PS it is not a tin foil hat, when you live in a country where big law firms criminally intimidate and extort (for 3yrs relentlessly) exorbitant amounts of money because you play 50sec of a movie - consider yourself lucky your lawyers haven't woken up to that scam **

Thank you everyone.
So both the fixed ip set on device and those set on pfsense must not be in the dhcp pool. I will have to change some of my fixed ips.

I will definitely install pfblockng.