I need help here. I am hitting the wall. Please help a noob.



  • I just had Pfsense 2.3.5 installed using ExpressVPN using OpenVPN. I use Expressvpn for geolocation on my 3 wired Roku. ExpressVPN support does not have any knowledge on Pfsense and just fishing for answers.

    I was provided with Expressvpn media streamer and I was able to route my Lan and AP traffic to Vpn with no problem.

    Netflix is tough for geolocation. I noticed Pfsense has DNS leaks as default. I found a solution to stop the leak on this link.

    https://nettb.com/blog/2015/03/pfsense-dns-leak-when-connected-to-vpn-fix/

    I was able to fix the leak base on the link provided. But the problem still persist I can not get my Netflix, Amazon prime, and Hulu to function. I was able to browse the internet with no problem some sites are not resolve by DNS.

    I am currently using Services/DNS forwarder. Services/ DNS Resolver /General Settings are on as default but I had to turn it off. I cant use both of them at the same time.

    I am at a lost here. This is unchardtered territory for me. I have an Asus RT AC87U and its functioning well on ExpressVPN and keep it as a spare for the moment. But I want to learn Pfsense because the sky is the limit and has very good potential.

    Here is my current setup:

    50mbps down, 50 mbps up on a bridge fiber connection.

    Fiber modem> Pfsense> 5 port switch> Asus RT AC68

    3 Roku connected to 5 port switch + Asus as AP

    Asrock 3455 itx, 4 gigs DDR3 sodimm, Intel SSD, Intel i340 T4.

    All devices are connected thru wifi except Roku.

    I also need help on how to do selective routing on some devices for geolocation.



  • Hello and welcome!

    Some questions:

    1.  Do you prefer to have the VPN connected 24/7?
    2.  How complicated is your geolocation VPN setup?  For example, how many countries do you want to connect to?  Just one tunnel for USA, or do you have many tunnels for many countries that you want to manually choose each time?  This can make your policy-based routing more complicated.  If it is just one country for geolocation, it makes the rules easier and more automatic.
    3.  Do you only want your Roku boxes to use ExpressVPN, and your normal traffic to go out your normal WAN connection?  Or do you want to have Roku boxes to use ExpressVPN Country #1 and your normal traffic to go out ExpressVPN Country #2?
    4.  Is there a reason you are on 2.3.5 instead of 2.4.2?  Is your pfSense box 32-bit only?

    I can help with the DNS leak issue.  In my opinion, that article is outdated.  The DNS Forwarder is outdated, in my opinion, although I used it in pfSense for a few years.  I switched to the DNS Resolver (unbound) about 1 or 2 years ago and haven't looked back.

    Here is what I recommend for DNS:

    1.  Switch to the DNS Resolver.  (Disable Forwarder, Enable Resolver.)
    2.  In Services / DNS Resolver / General Settings, under "Outgoing Network Interfaces," choose your ExpressVPN interface only.  Make sure "All' and "WAN" are not selected.  This will force all DNS queries to go out the VPN only.  There is an exception to this:  DNS queries from the pfSense host itself (such as for pfSense updates and upgrades) needs a backup resolver if the VPN tunnel goes down.  I cover this below in Step 5.
    3.  Make sure DNSSEC is enabled, for extra security.
    4.  Under Services / DNS Resolver / Advanced Settings, enable "Hide Identity" and "Hide Version" for more privacy.  Also tick "Harden DNSSEC Data."
    5.  Under System / General Setup, you will need at least one public DNS Resolver entered here, such as OpenDNS, Level 3, etc. (your choice).  By default, the pfSense box itself will first send DNS queries to 127.0.0.1 (localhost), which in this case will be handled by unbound (the DNS Resolver), which will send out traffic through ExpressVPN only.  But if the VPN tunnel goes down for whatever reason, queries from the pfSense box itself will go out the backup public DNS servers you enter here.  This won't be your normal LAN DNS queries (which should fail if the VPN fails, meaning no DNS Leak :) ) but just for pfSense box queries only.



  • Do you prefer to have the VPN connected 24/7?

    Yes I always require 24/7 connection on VPN.

    How complicated is your geolocation VPN setup?

    1. I only use one country setup (USA). I use the Rokus to access Netflix, Hulu and Amazon Prime Videos. I also use it for online shopping and banking.

    Do you only want your Roku boxes to use ExpressVPN, and your normal traffic to go out your normal WAN connection?  Or do you want to have Roku boxes to use ExpressVPN Country #1 and your normal traffic to go out ExpressVPN Country #2?

    1. I use the Rokus to access Netflix, Hulu and Amazon Prime Videos. I also use it for online shopping and banking.

    2. Country 1 are used for streaming devices.

    I have an Asrock 3455B itx motherboard and its a 64 bit that supports AES for openvpn but I can't install the current 2.4.2 due to HPET error. So just decided to use 2.3.5.

    I did follow your instructions to the T but I can not get netflix and amazon prime to work it say No internet connection but HULU does work. DNS leak is gone.

    I did check the firewall rules/ expressvpn Action = Pass, Interface = Expressvpn, adress family = IPV4, Protocol= any and did not touch the rest of it.

    StatusDashboard

    DNS server(s)

    127.0.0.1
        85.203.37.1
        85.203.37.2

    General setup/ DNS servers, 85.203.37.1 = ExpressvpnDHCP opt1, 85.203.37.2 = ExpressvpnDHCP opt1. I am not quite sure if i've done it correct.

    Currently all my wifi devices are connected to ExpressVPN. It really tax the speed due to distance. What I wanted is how to do selective routing so I can just assign certain devices on VPN.

    Thank you



  • My experiences overseas using VPN back to the states.

    1.  Latency impacts bandwidth.  So, you are much better off running your VPN client on each device that needs the vpn rather than running it on 1 centralized device that serves vpn to everything else.

    2.  Companies are always claiming to be able to provide you Netflix and other video streaming sites.  My experience is that unless you have a dedicated IP, thats not going to be reliable.  Actually, if you want the best possible experience, buy a pfsense for someone in the states to replace their cheap router on the condition they let you run a vpn on it using their IP and bandwidth.  I have my own personal pfsense in my house in the USA and my friends who travel also have them at their houses.  We share.  Residential IPs give the best results.

    3.  Pfsense doesn't leak DNS.  At least not for me when I use it as the server.  Every pfsense I've got running in the USA can slice through netflix blocks, no problem.



  • That is a very good idea kejianshi. But prior to jumping on Pfsense, I have a working Asus router with a Merlin firmware that works pretty well on Expressvpn that blocks geolocation and does selective routing.

    The reason I need an advice is how come my off the shelf router can run on VPN? Pfsense is a nice but it has a steep learning curve for me.



  • I'm not sure.  I have not seen expressvpn server configuration and I haven't seen your pfsense client configuration.



  • This is the link provided by ExpressVPn which I follow.

    https://www.expressvpn.com/support/vpn-setup/pfsense-with-expressvpn-openvpn/



  • I'm not sure.  I did take a look at it though.

    I've done this using pfsense as server and with ALL TRAFFIC routed from the pfsense client to the pfsense server and it worked great.

    In other words.  The client side had a peer-to-peer configuration but the server side was remote access configuration.

    For what you are trying to achieve, that worked wonderfully.  I'm not sure what is going on with express VPN.

    I can tell you that you want all, not some and not selectively when it comes to traffic being routed via that vpn.

    People will really need to see your openvpn cofig.  The one you actually entered and not the instructions from expressvpn.

    Also, your firewall rules.



  • @lovan6:

    I did check the firewall rules/ expressvpn Action = Pass, Interface = Expressvpn, adress family = IPV4, Protocol= any and did not touch the rest of it.

    What interfaces do you have right now?  WAN, LAN, ExpressVPN?  ExpressVPN interface shouldn't have any rules (blank).

    The rule you want should be on your LAN interface.

    Source:  "Roku" (Make an alias with the static IPs of all your Roku devices.  Either do static IP or DHCP reservation).
    (Advanced) Gateway:  ExpressVPN



  • Well as of today I decided to stop using my Pfsense box and decided to use back my Asus RT AC 87U with Expressvpn. It took me 2 1/2 straight days trying to figure out how to unblock Netflix and Amazon prime with Pfsense.

    Please don't get me wrong I find Pfsense has good potentials and I am not going to stop until I run it to perfection.

    Currently I am on Pfsense 2.3.5 because I had a hard time installing 2.4.2 it gives me Hpet error. Also the current firmware build does not want to install new packages even after several clean install.

    I will post later images on how I configure Pfsense on Expressvpn with firewall settings. ExpressVPN support is no use to me since they lack knowledge on pfsense.

    Thanks guys!



  • I hope this is constructive criticism.  Knowing what you might have done or was supposed to do or the directions tell you to do is completely unhelpful.

    When people absolutely refuse to post their actual setups (we are talking screenshots of the pfsense configurations), good things rarely happen.

    I wish you luck.



  • I will post my configuration. I really need to get this going. I find this forum helpful and really appreciate the help of forum members.

    It just happen that my wife and kids are complaining since I start messing their Internet and vpn connections for 2 1/2 days.



  • I'm not the authority on much of anything, but I'm pretty sure if someone sees a big error in the config they will point it out.



  • @lovan6:

    It just happen that my wife and kids are complaining since I start messing their Internet and vpn connections for 2 1/2 days.

    Best practice is to not put a new setup into production until it's production-ready.  In other words, you can configure pfSense separately while your household still uses the Asus in production.  When the pfSense config is stable, you're reading to go live with a smooth transition.



  • @lovan6:

    Well as of today I decided to stop using my Pfsense box and decided to use back my Asus RT AC 87U with Expressvpn. It took me 2 1/2 straight days trying to figure out how to unblock Netflix and Amazon prime with Pfsense.

    I'm confused.  You had it working but gave up anyways.

    The policy-based routing firewall rule is just one rule, described above, and it would allow your Roku devices to be routed through ExpressVPN.  I fail to see what difficulty you are encountering or why you gave up when you were a few seconds from success.



  • @Finger79:

    @lovan6:

    Well as of today I decided to stop using my Pfsense box and decided to use back my Asus RT AC 87U with Expressvpn. It took me 2 1/2 straight days trying to figure out how to unblock Netflix and Amazon prime with Pfsense.

    I'm confused.  You had it working but gave up anyways.

    The policy-based routing firewall rule is just one rule, described above, and it would allow your Roku devices to be routed through ExpressVPN.  I fail to see what difficulty you are encountering or why you gave up when you were a few seconds from success.

    My main concern in going to Pfsense route is geolocation unblocking. The 3 major streaming company are getting tougher every day. It used to be a simple paid DNS service and your done. I have been tinkering routers for years starting from DD-WRT, Tomato to current Asus Merlin. Time has changed and I have to follow what is current.

    Asus merlin firmware is so simple to use for an average guy like me but there are some limitations too when it comes to hardware. And this is the reason why I wanted to learn Pfsense because I have the freedom to do so.

    I am no expert on things and it takes time to learn. for me its no pain no gain.

    I will be posting some desktop configuration on ExpressVPN later so the community can take a look. including some problems I encounter.



  • Ok I am back to pfsense today and decided to start with a clean slate by doing a factory restore on the GUI.

    After doing the wizard, I proceed to install Expressvpn.

    ![Screen Shot 2017-11-26 at 8.45.01 AM.png](/public/imported_attachments/1/Screen Shot 2017-11-26 at 8.45.01 AM.png)
    ![Screen Shot 2017-11-26 at 8.45.01 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-11-26 at 8.45.01 AM.png_thumb)
    ![Screen Shot 2017-11-26 at 8.44.32 AM.png](/public/imported_attachments/1/Screen Shot 2017-11-26 at 8.44.32 AM.png)
    ![Screen Shot 2017-11-26 at 8.44.32 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-11-26 at 8.44.32 AM.png_thumb)
    ![Screen Shot 2017-11-26 at 8.43.42 AM.png](/public/imported_attachments/1/Screen Shot 2017-11-26 at 8.43.42 AM.png)
    ![Screen Shot 2017-11-26 at 8.43.42 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-11-26 at 8.43.42 AM.png_thumb)
    ![Screen Shot 2017-11-26 at 8.41.17 AM.png](/public/imported_attachments/1/Screen Shot 2017-11-26 at 8.41.17 AM.png)
    ![Screen Shot 2017-11-26 at 8.41.17 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-11-26 at 8.41.17 AM.png_thumb)
    ![Screen Shot 2017-11-26 at 8.39.54 AM.png](/public/imported_attachments/1/Screen Shot 2017-11-26 at 8.39.54 AM.png)
    ![Screen Shot 2017-11-26 at 8.39.54 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-11-26 at 8.39.54 AM.png_thumb)
    ![Screen Shot 2017-11-26 at 8.38.44 AM.png](/public/imported_attachments/1/Screen Shot 2017-11-26 at 8.38.44 AM.png)
    ![Screen Shot 2017-11-26 at 8.38.44 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-11-26 at 8.38.44 AM.png_thumb)
    ![Screen Shot 2017-11-26 at 8.37.53 AM.png](/public/imported_attachments/1/Screen Shot 2017-11-26 at 8.37.53 AM.png)
    ![Screen Shot 2017-11-26 at 8.37.53 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-11-26 at 8.37.53 AM.png_thumb)
    ![Screen Shot 2017-11-26 at 8.37.32 AM.png](/public/imported_attachments/1/Screen Shot 2017-11-26 at 8.37.32 AM.png)
    ![Screen Shot 2017-11-26 at 8.37.32 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-11-26 at 8.37.32 AM.png_thumb)
    ![Screen Shot 2017-11-26 at 8.32.18 AM.png](/public/imported_attachments/1/Screen Shot 2017-11-26 at 8.32.18 AM.png)
    ![Screen Shot 2017-11-26 at 8.32.18 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-11-26 at 8.32.18 AM.png_thumb)
    ![Screen Shot 2017-11-26 at 8.30.13 AM.png](/public/imported_attachments/1/Screen Shot 2017-11-26 at 8.30.13 AM.png)
    ![Screen Shot 2017-11-26 at 8.30.13 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-11-26 at 8.30.13 AM.png_thumb)
    ![Screen Shot 2017-11-26 at 8.29.12 AM.png](/public/imported_attachments/1/Screen Shot 2017-11-26 at 8.29.12 AM.png)
    ![Screen Shot 2017-11-26 at 8.29.12 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-11-26 at 8.29.12 AM.png_thumb)
    ![Screen Shot 2017-11-26 at 8.21.59 AM.png](/public/imported_attachments/1/Screen Shot 2017-11-26 at 8.21.59 AM.png)
    ![Screen Shot 2017-11-26 at 8.21.59 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-11-26 at 8.21.59 AM.png_thumb)
    ![Screen Shot 2017-11-26 at 8.21.07 AM.png](/public/imported_attachments/1/Screen Shot 2017-11-26 at 8.21.07 AM.png)
    ![Screen Shot 2017-11-26 at 8.21.07 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-11-26 at 8.21.07 AM.png_thumb)
    ![Screen Shot 2017-11-26 at 8.20.26 AM.png](/public/imported_attachments/1/Screen Shot 2017-11-26 at 8.20.26 AM.png)
    ![Screen Shot 2017-11-26 at 8.20.26 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-11-26 at 8.20.26 AM.png_thumb)
    ![Screen Shot 2017-11-26 at 8.19.16 AM.png](/public/imported_attachments/1/Screen Shot 2017-11-26 at 8.19.16 AM.png)
    ![Screen Shot 2017-11-26 at 8.19.16 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-11-26 at 8.19.16 AM.png_thumb)



  • Here are more shots Expressvpn config.

    ![Screen Shot 2017-11-26 at 8.18.08 AM.png](/public/imported_attachments/1/Screen Shot 2017-11-26 at 8.18.08 AM.png)
    ![Screen Shot 2017-11-26 at 8.18.08 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-11-26 at 8.18.08 AM.png_thumb)
    ![Screen Shot 2017-11-26 at 8.13.58 AM.png](/public/imported_attachments/1/Screen Shot 2017-11-26 at 8.13.58 AM.png)
    ![Screen Shot 2017-11-26 at 8.13.58 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-11-26 at 8.13.58 AM.png_thumb)
    ![Screen Shot 2017-11-26 at 8.10.51 AM.png](/public/imported_attachments/1/Screen Shot 2017-11-26 at 8.10.51 AM.png)
    ![Screen Shot 2017-11-26 at 8.10.51 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-11-26 at 8.10.51 AM.png_thumb)
    ![Screen Shot 2017-11-26 at 8.07.28 AM.png](/public/imported_attachments/1/Screen Shot 2017-11-26 at 8.07.28 AM.png)
    ![Screen Shot 2017-11-26 at 8.07.28 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-11-26 at 8.07.28 AM.png_thumb)



  • I rebooted pfsense after configuring Expressvpn and vpn is up after reboot. I then proceed to System/General setup/ DNS Server settings. (see attachments). Next is Services /DNS Resolver/General Settings including    Services/DNS Resolver/Advanced Settings.

    I did run DNS leaktest and it pass but I can not access some websites including Amazon (see attachment) and internet speed is slow. This is connected to Expressvpn.

    I also try to install Pfsense package and its giving me error. I am currently on 2.3.5. Can not install 2.4.2 due to HPET error but let set that aside.

    I did also check my ip location and its connected thru expressvpn result is Los Angeles location.

    ![Screen Shot 2017-11-26 at 10.55.46 AM.png](/public/imported_attachments/1/Screen Shot 2017-11-26 at 10.55.46 AM.png)
    ![Screen Shot 2017-11-26 at 10.55.46 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-11-26 at 10.55.46 AM.png_thumb)
    ![Screen Shot 2017-11-26 at 10.56.56 AM.png](/public/imported_attachments/1/Screen Shot 2017-11-26 at 10.56.56 AM.png)
    ![Screen Shot 2017-11-26 at 10.56.56 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-11-26 at 10.56.56 AM.png_thumb)
    ![Screen Shot 2017-11-26 at 10.57.10 AM.png](/public/imported_attachments/1/Screen Shot 2017-11-26 at 10.57.10 AM.png)
    ![Screen Shot 2017-11-26 at 10.57.10 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-11-26 at 10.57.10 AM.png_thumb)
    ![Screen Shot 2017-11-26 at 9.02.42 AM.png](/public/imported_attachments/1/Screen Shot 2017-11-26 at 9.02.42 AM.png)
    ![Screen Shot 2017-11-26 at 9.02.42 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-11-26 at 9.02.42 AM.png_thumb)
    ![Screen Shot 2017-11-26 at 9.21.36 AM.png](/public/imported_attachments/1/Screen Shot 2017-11-26 at 9.21.36 AM.png)
    ![Screen Shot 2017-11-26 at 9.21.36 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-11-26 at 9.21.36 AM.png_thumb)
    ![Screen Shot 2017-11-26 at 10.01.01 AM.png](/public/imported_attachments/1/Screen Shot 2017-11-26 at 10.01.01 AM.png)
    ![Screen Shot 2017-11-26 at 10.01.01 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-11-26 at 10.01.01 AM.png_thumb)



  • I was really scratching my head. Next is to check my firewall settings (see attachment). On Firewall rules expressvpn i noticed it was empty.

    I decided to click add on expressvpn firewall rules and this is how it looks like (see Attachement).

    I noticed on Lan firewall lan did have some changes.

    ![Screen Shot 2017-11-26 at 9.14.42 AM.png](/public/imported_attachments/1/Screen Shot 2017-11-26 at 9.14.42 AM.png)
    ![Screen Shot 2017-11-26 at 9.14.42 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-11-26 at 9.14.42 AM.png_thumb)
    ![Screen Shot 2017-11-26 at 9.14.49 AM.png](/public/imported_attachments/1/Screen Shot 2017-11-26 at 9.14.49 AM.png)
    ![Screen Shot 2017-11-26 at 9.14.49 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-11-26 at 9.14.49 AM.png_thumb)
    ![Screen Shot 2017-11-26 at 9.17.28 AM.png](/public/imported_attachments/1/Screen Shot 2017-11-26 at 9.17.28 AM.png)
    ![Screen Shot 2017-11-26 at 9.17.28 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-11-26 at 9.17.28 AM.png_thumb)
    ![Screen Shot 2017-11-26 at 9.21.36 AM.png](/public/imported_attachments/1/Screen Shot 2017-11-26 at 9.21.36 AM.png)
    ![Screen Shot 2017-11-26 at 9.21.36 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-11-26 at 9.21.36 AM.png_thumb)



  • This is my NAT outbound.

    ![Screen Shot 2017-11-26 at 11.34.08 AM.png](/public/imported_attachments/1/Screen Shot 2017-11-26 at 11.34.08 AM.png)
    ![Screen Shot 2017-11-26 at 11.34.08 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-11-26 at 11.34.08 AM.png_thumb)



  • Here are the results so far:

    1. I am currently connected to my Local ISP and can be able to access sites.

    2. ExpressVPN is up and connected but I am pretty sure I am not on vpn. Why? because I did check my ip location and since I am not on VPN DNS leak is the result.

    3. I have not check my Roku streaming boxes yet because I am pretty sure it's going to be block.

    Any suggestions guy?



  • Your NAT rules look fine.  Here is a screenshot with some cosmetic edits. :P

    The ISAKMP rules are unnecessary in my opinion and can be deleted.  The other two edits are just to make the Description more accurate.

    ![140466_ExpressVPN NAT.png](/public/imported_attachments/1/140466_ExpressVPN NAT.png)
    ![140466_ExpressVPN NAT.png_thumb](/public/imported_attachments/1/140466_ExpressVPN NAT.png_thumb)



  • Attach are additional information if somebody wants to know. This is my current stats.

    ![Screen Shot 2017-11-26 at 11.51.26 AM.png](/public/imported_attachments/1/Screen Shot 2017-11-26 at 11.51.26 AM.png)
    ![Screen Shot 2017-11-26 at 11.51.26 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-11-26 at 11.51.26 AM.png_thumb)
    ![Screen Shot 2017-11-26 at 11.51.38 AM.png](/public/imported_attachments/1/Screen Shot 2017-11-26 at 11.51.38 AM.png)
    ![Screen Shot 2017-11-26 at 11.51.38 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-11-26 at 11.51.38 AM.png_thumb)



  • @lovan6:

    I was really scratching my head. Next is to check my firewall settings (see attachment). On Firewall rules expressvpn i noticed it was empty.

    It should be empty.  The way pfSense firewall rules work is they apply to traffic coming into that interface.  So you probably do not want anyone coming into your home and pfSense router from the outside world through the ExpressVPN interface.

    I would delete all firewall rules on the ExpressVPN interface and only use LAN rules.



  • @Finger79:

    Your NAT rules look fine.  Here is a screenshot with some cosmetic edits. :P

    The ISAKMP rules are unnecessary in my opinion and can be deleted.  The other two edits are just to make the Description more accurate.

    If I deleted ISAKMP rules, Is there any order on Mappings? or just leave it as is?



  • Your DNS Server Settings (in General Setup) should be non-ExpressVPN DNS servers that your pfSense box will use if the ExpressVPN connection goes down.  It's for backup purposes only.

    1.  Change the DNS servers to any public resolver of your choice.  OpenDNS, Level3, Verisign, Comodo, Google, etc.
    2.  Change the Gateway to WAN instead of ExpressVPN.  (Yes, this is a DNS "leak" but only to be used by your pfSense box itself, not your LAN devices, and it's only used if your VPN fails.  It's a temporary backup setting.)



  • @lovan6:

    If I deleted ISAKMP rules, Is there any order on Mappings? or just leave it as is?

    As is is fine.



  • @Finger79:

    @lovan6:

    I was really scratching my head. Next is to check my firewall settings (see attachment). On Firewall rules expressvpn i noticed it was empty.

    It should be empty.  The way pfSense firewall rules work is they apply to traffic coming into that interface.  So you probably do not want anyone coming into your home and pfSense router from the outside world through the ExpressVPN interface.

    I would delete all firewall rules on the ExpressVPN interface and only use LAN rules.

    Expressvpn firewall rules was originaly on Lan rules "Local_Subnets = Lan Traffic expressvpn" but I can not access websites. The only thing that work for me is to move it to Firewall/ Rules/ExpressVPN which resulted to no connection to VPN.



  • @lovan6:

    Expressvpn firewall rules was originaly on Lan rules "Local_Subnets = Lan Traffic expressvpn" but I can not access websites. The only thing that work for me is to move it to Firewall/ Rules/ExpressVPN which resulted to no connection to VPN.

    I say again:  Your ExpressVPN interface rules should be completely empty, unless you want traffic coming INTO that interface, which I would guess is a solid "no."  Leave that whole interface rules blank.

    Regarding the one rule you set up:  I thought you wanted to set up an alias for your three Roku devices.  It's unnecessary to really set up an alias for 192.168.1.0/24 since you can just put that directly in the firewall rule.

    In fact, if you want your entire LAN subnet to go out through ExpressVPN, then it's not really necessary to have that rule in the first place.  Your ExpressVPN configuration should automatically pull routes.



  • I followed your suggestions on the NAT outbound. I also deleted the Firewall/Rules/EXPRESSVPN and instead put back the Firewall/Rules/Lan.

    I also change System/General /Setup as suggested. I was able to connect back to expressvpn but it resulted to a slow connections. some sites are not available. Is there a way to coorect this?

    Also I am not in the process of setting up the Roku yet. I just want to make sure I won't have any problem with browsing. If connection is slow on browsing I think I can not be able to stream my Rokus.

    I tinker on Interface/ExpressVPN. Under general Information, IPv4 Configuration Type = DHCP. this was the instruciotns by expressvpn. If I change from DHCP to NONE, I get faster browsing but I get disconnected from VPN.

    I have not use any traffic shaper for the moment fyi.

    I am providing some screenshots for your perusal.

    ![Screen Shot 2017-11-26 at 1.00.41 PM.png](/public/imported_attachments/1/Screen Shot 2017-11-26 at 1.00.41 PM.png)
    ![Screen Shot 2017-11-26 at 1.00.41 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-11-26 at 1.00.41 PM.png_thumb)
    ![Screen Shot 2017-11-26 at 12.59.14 PM.png](/public/imported_attachments/1/Screen Shot 2017-11-26 at 12.59.14 PM.png)
    ![Screen Shot 2017-11-26 at 12.59.14 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-11-26 at 12.59.14 PM.png_thumb)
    ![Screen Shot 2017-11-26 at 12.58.44 PM.png](/public/imported_attachments/1/Screen Shot 2017-11-26 at 12.58.44 PM.png)
    ![Screen Shot 2017-11-26 at 12.58.44 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-11-26 at 12.58.44 PM.png_thumb)
    ![Screen Shot 2017-11-26 at 12.58.25 PM.png](/public/imported_attachments/1/Screen Shot 2017-11-26 at 12.58.25 PM.png)
    ![Screen Shot 2017-11-26 at 12.58.25 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-11-26 at 12.58.25 PM.png_thumb)
    ![Screen Shot 2017-11-26 at 12.58.08 PM.png](/public/imported_attachments/1/Screen Shot 2017-11-26 at 12.58.08 PM.png)
    ![Screen Shot 2017-11-26 at 12.58.08 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-11-26 at 12.58.08 PM.png_thumb)
    ![Screen Shot 2017-11-26 at 12.57.57 PM.png](/public/imported_attachments/1/Screen Shot 2017-11-26 at 12.57.57 PM.png)
    ![Screen Shot 2017-11-26 at 12.57.57 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-11-26 at 12.57.57 PM.png_thumb)



  • @lovan6:

    I was able to connect back to expressvpn but it resulted to a slow connections. some sites are not available. Is there a way to coorect this?

    Let's compare apples to apples.

    1.  Is your OpenVPN configuration on pfSense identical to your OpenVPN configuration on your Asus router?
    2.  On your Asus router, are you able to visit Amazon and other sites, or are you getting the same error message?  If so, why?
    3.  On your Asus router (which I assume has much slower CPU than your pfSense box), is VPN throughput slow?
    4.  On your Asus router, are you also connected to ExpressVPN - Los Angeles?
    5.  Are you in Europe?  Asia?  Somewhere else?  You may want to try out different VPN servers and see if speed improves.
    6.  Where did you get the config settings in "Custom options"?  Also, is everything else correct such as the SHA512 HMAC?

    @lovan6:

    I tinker on Interface/ExpressVPN. Under general Information, IPv4 Configuration Type = DHCP. this was the instruciotns by expressvpn. If I change from DHCP to NONE, I get faster browsing but I get disconnected from VPN.

    FYI:  I have my VPN interfaces all set to "None."



  • @lovan6:

    I followed your suggestions on the NAT outbound.

    Dude, you're tweaking mah OCD.  :P  I'd edit your Descriptions for sanity purposes as in my screenshot.  Just two edits.  "LAN to ExpressVPN" and "localhost to ExpressVPN"



  • @Finger79:

    @lovan6:

    I was able to connect back to expressvpn but it resulted to a slow connections. some sites are not available. Is there a way to coorect this?

    Let's compare apples to apples.

    1.  Is your OpenVPN configuration on pfSense identical to your OpenVPN configuration on your Asus router?
    2.  On your Asus router, are you able to visit Amazon and other sites, or are you getting the same error message?  If so, why?
    3.  On your Asus router (which I assume has much slower CPU than your pfSense box), is VPN throughput slow?
    4.  On your Asus router, are you also connected to ExpressVPN - Los Angeles?
    5.  Are you in Europe?  Asia?  Somewhere else?  You may want to try out different VPN servers and see if speed improves.
    6.  Where did you get the config settings in "Custom options"?  Also, is everything else correct such as the SHA512 HMAC?

    @lovan6:

    I tinker on Interface/ExpressVPN. Under general Information, IPv4 Configuration Type = DHCP. this was the instruciotns by expressvpn. If I change from DHCP to NONE, I get faster browsing but I get disconnected from VPN.

    FYI:  I have my VPN interfaces all set to "None."

    1.  Yes they are exactly the same as my Asus router.

    2.  I don't have any problem on any website on Asus on Expressvpn. In fact 1 have 3 simultaneous connections in the US.

    3.  Yes the throughput is slow 3 to 5 mpbs Up/down. That is the reason I want to migrate to Pfsense.

    4.  On the Asus I have 2 connections to Los Angeles and 1 connection to New Jersey

    5.  I am from SE Asia. I have tried to connect to different US servers they are almost all the same when it comes to speed. Not all  Expresss vpn servers are good for geolocation blocking. so far the 3 I mention works well on my Asus.

    6  I followed expressvpn link provided.

    https://www.expressvpn.com/support/vpn-setup/pfsense-with-expressvpn-openvpn/

    This is the custom options provided on their website.

    fast-io;persist-key;persist-tun;remote-random;pull;tls-client;verify-x509-name Server name-prefix;ns-cert-type server;key-direction 1;route-method exe;route-delay 2;tun-mtu 1500;fragment 1300;mssfix 1450;verb 3;sndbuf 524288;rcvbuf 524288

    Its SHA512 bit. I am not sure if its HMAC.



  • @Finger79:

    @lovan6:

    I followed your suggestions on the NAT outbound.

    Dude, you're tweaking mah OCD.  :P  I'd edit your Descriptions for sanity purposes as in my screenshot.  Just two edits.  "LAN to ExpressVPN" and "localhost to ExpressVPN"

    My apologies to you. I am thinking of taking some Xanax with these pfsense ordeal.

    Anyway I am attaching some desktop screenshots.

    ![Screen Shot 2017-11-26 at 4.18.42 PM.png](/public/imported_attachments/1/Screen Shot 2017-11-26 at 4.18.42 PM.png)
    ![Screen Shot 2017-11-26 at 4.18.42 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-11-26 at 4.18.42 PM.png_thumb)
    ![Screen Shot 2017-11-26 at 4.24.46 PM.png](/public/imported_attachments/1/Screen Shot 2017-11-26 at 4.24.46 PM.png)
    ![Screen Shot 2017-11-26 at 4.24.46 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-11-26 at 4.24.46 PM.png_thumb)
    ![Screen Shot 2017-11-26 at 4.15.33 PM.png](/public/imported_attachments/1/Screen Shot 2017-11-26 at 4.15.33 PM.png)
    ![Screen Shot 2017-11-26 at 4.15.33 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-11-26 at 4.15.33 PM.png_thumb)



  • I finally able to solve my pfsense ordeal. It took me 15 hours to figure everything out. Geolocation blocking is finally fixed. Netflix and Hulu are working but at the moment I can not get access to Amazon website on OpenVPN.

    I would like to thank Finger79 and kenjianshi for their resolute support.

    I will post some instructions later the day but until I resolve Amazon DNS problem.



  • Yes - It is very odd that netflix would work but not amazon.  Its probably a simple fix.  We can see after you post your final configuration.

    This could be a DNS issue.  You might want to find out if your VPN provider has their own dedicated reliable DNS IP and use that.

    The problem I have with 8.8.8.8 and 8.8.4.4 is those can connect you to many different servers depending on your location.

    In my laptop off the VPN from Manila when I ping 8.8.8.8, its 30ms

    When in my vpn I use my remote pfsense LAN IP as my DNS server IP.  When I ping that IP, it shows about 250ms.  Far away as it should be.

    When I ping 8.8.8.8 in the vpn, again over 250ms.  So, it is being tunneled properly.

    We might want to do that test with you to be sure that the DNS servers you are connecting to are physically in the USA and not close by.

    Could be something else though.  Not sure.  Its strange.



  • I have a question because I have the same dilemma. If I am using 3 OpenVPN connections for my Outgoing DNS Resolver settings I would select all 3 for the Outgoing Interfaces.  But, when Unbound is doing the resolving will it send a query out to all 3 Interfaces or only 1?

    I also have a Gateway Group that is setup for fail-over purposes for the OpenVPN not sure if that matters as to whether or not Unbound will send a query to all interfaces or just the one that traffic is suppose to be going out at that time.



  • You can check your ExpressVPN IP and DNS here: https://www.expressvpn.com/dns-leak-test



  • @kejianshi:

    Yes - It is very odd that netflix would work but not amazon.  Its probably a simple fix.  We can see after you post your final configuration.

    This could be a DNS issue.  You might want to find out if your VPN provider has their own dedicated reliable DNS IP and use that.

    The problem I have with 8.8.8.8 and 8.8.4.4 is those can connect you to many different servers depending on your location.

    In my laptop off the VPN from Manila when I ping 8.8.8.8, its 30ms

    When in my vpn I use my remote pfsense LAN IP as my DNS server IP.  When I ping that IP, it shows about 250ms.  Far away as it should be.

    When I ping 8.8.8.8 in the vpn, again over 250ms.  So, it is being tunneled properly.

    We might want to do that test with you to be sure that the DNS servers you are connecting to are physically in the USA and not close by.

    Could be something else though.  Not sure.  Its strange.

    I talk to my local ISP and bought their decommissioned DNS server ($$$$) on a condition that I have a dedicated US DNS connection.


Log in to reply