@qbhatti said in Pihole as secondary dns: blocks some google ads so it means I cant click on shopping items or sponsored items when searching. Seems like a problem of the ad blocking list your are using in Pihole. You could try a safe one like OISD Basic that has no false positives.

@Antibiotic All of the PiHoles are on VLAN42. PiHole services VLANS 2,42,100 and 129.

@johnpoz dnsleaktest.com shows the IP address of my vpn provider. whether you select standard or extended, it then shows results in the IP of my ISP connection. my config is as follows System DNS Servers DNS Servers 1.1.1.1 firewall WAN DNS Server Override unchecked Disable DNS Forwarder checked DNS Resolver enable checked Network Interfaces LAN / VLAN Outgoing Interfaces Localhost system transparent DNSSEC checked Use SSL/TLS outgoing checked DHCP Register checked Static DHCP checked Advanced Privacy Hide ID checked Hide Version checked Query Name checked Prefetch Support checked prefetch DNS key checked harden DNSSEC checked Experimental Bit 0x20 checked Routing WAN Default Route Rules TCP/UDP * * LAN Address DNS allow TCP/UDP * * !Firewall DNS block TCP/UDP * * VPNBYPASS * WAN none TCP/UDP * * !LAN * ExpressVPN none NAT LAN TCP/UDP * * !LAN Address DNS LAN Addr (i found using 127.0.0.1 didn't work, but it did with LAN addr) ** PS it is not a tin foil hat, when you live in a country where big law firms criminally intimidate and extort (for 3yrs relentlessly) exorbitant amounts of money because you play 50sec of a movie - consider yourself lucky your lawyers haven't woken up to that scam **

Thank you everyone. So both the fixed ip set on device and those set on pfsense must not be in the dhcp pool. I will have to change some of my fixed ips. I will definitely install pfblockng.