VPN fail safe failed?
-
Hi,
I setup my pfsense server back in may. Had some hurdles getting everything sorted but you guys were great and it is working like a champ or so I thought. My setup is as follows, I've got my main internet feed through cox coming in and to the pfsense box. It splits into 2 lans, one open, the other through a vpn for downloading things. Cox suspended my internet for downloading a particular file tonight but if my vpn goes offline that internet connection is supposed to stop dead in its tracks. Just wondering how they knew what I was downloading or if there is a problem with my setup?
The original feed that I got setup with is https://forum.pfsense.org/index.php?topic=110778.msg627272#msg627272
I've also attached screens of my rules as I have them.
Thanks in advance.
-
What is the status of the Skip Rules when Gateway is Down checkbox in System > Advanced, Miscellaneous ??
If you take the VPN down what happens when LAN hosts try to connect outbound?
If your goal is to make sure nothing on LAN goes out the clear WAN, I have no idea why you have that last pass any any any rule on LAN. The one after the policy routing rule to PIA. That is something you would never want to happen in any case.
-
Derelict,
Thanks for your reply. When I take the VPN down my internet connection ceases instantly when I'm web browsing. Loaded up CNN, took vpn down, clicked a link and it's dead in the water.
I've attached the rules but it is unchecked. Also for clarification sake I attached the rule I believe you said I should not have so I don't delete the wrong one. The one above the PIA rule in the LAN section is so I can communicate between my two internal networks. Moving files from the box that is encrypted to my plex server that can get out.
-
Also I may have possibly found my issue… I did a DNS leak test on my encrypted network and it's showing my actual ip address and not the vpn's. The IP leak test is showing my vpn's ip. If this is my problem do you have any solutions on how to fix it?
Attached my main screen below as well as it lists my DNS servers. DNS leak server information from PIA also attached.
-
Yeah just disable/delete that last rule. The bypass rule to OPT1 network makes sense.
There is really no way that I know of that what you have would fail to block that traffic out WAN. Are you sure the offending traffic didn't originate from OPT1?
The rule you posted doesn't show the interfaces on the block NO_WAN_EGRESS floating rule. It should be on WAN out.
I find it quite doubtful that you are getting an ISP letter due to a DNS leak.
But, yeah, set your LAN clients to use something in the internet (or on LAN) for their DNS servers. Don't use something on the firewall like the forwarder/resolver. That way all DNS queries will be flagged NO_WAN_EGRESS too and will either go out the VPN or go nowhere.
-
Derelict,
I've attached my no wan egress rule. I believe it is correct as you stated for the WAN out direction if you could double check it.
How would i go about setting up my LAN clients as you described?
And yeah I'm 100% positive nothing originated from the OPT1 network. The torrent was downloaded remotely via my cellphone (not on wifi) into dropbox where my torrent program loaded it on a dedicated machine that is on ethernet directly into that encrypted router. No other machine has a torrent program or that dropbox on it.
-
Pretty much impossible for that traffic to have gone out WAN, bro. Something is not how it is being represented.
You really do not know how to configure DNS servers? They are either static on the individual hosts or in the DHCP server on your LAN.
Just set them to something out on the internet like 8.8.8.8/8.8.4.4.
-
Derelict,
I know how to add DNS servers in Windows under the IP settings… is that what you're talking about? Sorry I figured it might have been something else that you were wanting me to do in PfSense which I'm not overly familiar with beyond that initial setup process I went through to get everything working that I needed.
I've attached the image of what I'm guessing is the correct spot. Also I attached the image of my DNS Leak Test... it's showing me my exact ip address assigned from cox which makes me think it is the culprit. Changing my DNS servers in the IP settings should fix the leak even though it won't match my VPN?
-
I think I'm good. I went ahead and adjusted the DNS server information via the tcp/ip settings and ran the leak test, came back as my vpn's ip. Appreciate the help Derelict.
