How to have 3 dns resolutions: 1. local 2. vpn 3. smart dns proxy

candybars

config-pfSense.localdomain-20200728221857.xml i am trying this user group as a sort of last resort. i have no background but i was able to setup a gateway with one local, 3 vpn interfaces (subnets too), and one for smart dns proxy,
the local should resolve direftly from 1.1.1.1 (leaktest would show my local ip)
the vpns should use open vpn (leaktest would show the distination i am assuming)
smart dns proxy - for this service that masqs your identiy and routes you based on the destinatoin without changing your ip to work, their dns must be exposed direclty no resolver or forwarder can be applied here

each has its own interfca

i was able to build all myself with great strides. but the dns es are ruining everything. negate isn't solving this for too long and i won't add what else but im really so frustrated.

there are guides that get one right like this gets the vpn not to leak https://support.nordvpn.com/Connectivity/Router/1089079142/pfSense-2-4-4-setup-with-NordVPN.htm
but i am not an enterprise im a home user and i raelly could use advice on how to simply have vpn show one us addres (they have it showing 13 hops), my local is resolving based on the basic setup, and i dont have any idea how to make smart dns proxy not use the resolver or forwarder and show it is working. overriding on the end device does nothing.

now netgate has added what i think are unneccsary rules that made thins just worse than before. i have some status reports and a version from before the latest changes. if anyone would be willing to look and advise id be grateful im ktind of lost...the files are not the latest but what fits here status_output-3.tar

netblues

@candybars It is not clear what you are trying to achieve.
Dns leakage is just a security thing, hiding your real ip through vpn is a networking thing.
Apart from that, dns selection is absolutely client based.
Try to break up what you want to do in phases and isolate problems.
Nord vpn "how to" isn't going to get you anywhere, since it is a crude implementation to route everything through there.

Make a diagram of your network, and post focused details of each issue so we can help

Bob.Dig

I think I get it it and there is no solution I am aware of, because DNS is centralized in pfSense and isn't aware of the use of VPNs and therefore no really good dns-leak protection.

candybars

@netblues
thanks for the kind replies. I built the entire gatway myself with zero knowledge but actually paid a service contract to netgate to resolce the DnS issue. unfortunately the time i spent on the phone testing it with them all the time was very rudly used against me as breaching the "email" support agreement, and accusations that am breaking my own firewall on purpose just to cover for the fact that they dont really seem to understand how their platform works. pfsense aimes with the resolver to get the best speed and hide the router but it creates havvoc.

ill send screen shots perhaps you'll be able to give me some ideas. Ive had two lg oled tvs permanently black listed because of such issues i didnt even imagine.

i really hope you can help me. Basically i want each subnet to function just like a 20 dollar used router would when you put in Dns. There are 3 scenarios but before the description you asked for and forgive me as Im not anywhere related to tech. When i mention the guides it is because unfortunately ive seen results that arent replicated now for changes and because if i am not mistaken, the nord vpn one does not have a local lan, while the other one i think does something a bit different using the forwarder i just dont remember but it wasnt the perfect result either.,

there are 6 interfaces, wan plus 5 lan, each i linked to a /24 subnet with its own dhcp server. Each interface is also its own nic so there was no need for vlans. interface. they are lan- lan4
they go as follows:

1. local - this works without a leak locally. i have 1.1.1.1 in the basic config this one just resolves it locally and leaktest comes out ok showing my client ip.

2, 3, 4 are 4 netowks with open vpn clients on each of them. i will attach screen shots but you willl see there is a lan out to connect with lan ports but each has just one Wan gatway. i don't know how my linksys E1200 does it, but if i put and dns forwarder ip (I think that is what you call open vpv dns and that is what i use - not sure but i thik essentially its the same as google or 1.1.1.1). my goal wast that the DnS server would resolve at the end of the tunnel otherwise all kinds of hops along the way would show up, and the resolver was first supposed to do it except it didnt show one us ip (im half way around the world) but it would show 13. the ______ (fill in with your favoriate derogatory word of someone that screws up and blames you) did something similar to what i did and moved it to the firewall rules so now the end device gets the open vpn ip directly instead of the 192.168.x.1 but still 13 hops. in facts overrrides that are local never work . most things i need vpn for call this a bluff and dobt buy the fact that you need 13 hops from your isp to your home in y not even 2. i need this to show one dns address.now i ask you based on the photos im going to attach that show he is also blocking any further traffic to the ports how doews this happen and how to get rid of it. i dont know is there a dns for the actual nord vpn server in that location or perhaps using nord but still these hops are too weird.

4. that is a lan that is supposed to use smart dns proxy, which hides your identity without changing your ip and it does work with a lot of devices and software (sometimes it requires adding static routes). basically it maks your identity and can send you to new york to watch hbo or to london for bbc and much more. its far better than vpn when it works because you can stay in the same netowrk (think voice assistant features that you cant use with vpn the same one. There is also a way to put smart dns on top of vpn is the dns server there but i am not even asking for that. for smart dns proxy to work there must be no forwarding and no resolving at all it must be visible to smart dns service and its not eough that he put it in the firewall and that it also shows up in the end device still does not work. simple router dns setting takes care of that . i am really hopeing for some ideas i think the resolver is the problem avd still must be eliminated. how if you add the dns to the dhcp of the interface as a dhcp specific dns and click that check mark in the general settings that allow owerride it still doesnt work it again shows up in the end device like now but nothing.

i spent a fortune on this for fast vpn (only to find out that commercial services dont give out the private key so no ipsec) then their service agtreemetjust for the dns and getting hammered and they are very slow and lack motivatin after they get paid so i hope to get real helpfrom someoe who will may be agree to figure out the trick in the guides and how it can be utilzied again or something else even if requires more equipment or comitting murder against a resolver. i am attaching some screen shots the result btw for the third interface is that it does not work at all, a correction - the vpns are also in the dhcp. i am attahching screen shots but if nord vpn works for ths vpn what if i put 1.1.1.1.there or at least apply it not to the lan which is easiest just get the isp ip aply it to the vpns then figure out what to do with smart dns what about putting it in comaivs where resover does not apply? im not sure how tihat interface is supposed to work at all but the rules they added make it so there is no itenet on that intervace,. oh and i see that he tried to use forwarder for the smart dns where in lan4 there is no internet and not sure where to find that file., i amsending that changes they made. seems a waste ore resolver for the local lan where it was used in the nord gudie effectively perhaps it should be the solutio for the vpn interfaces, the local if it can be released from all of this system and also the smart dns .. i hope you have ideas becuase they arent even checking now that theirs work. you see i spent coutless hours on the phone trouble shooting for them now they accuse me of using phone support. at this rate and with this very poor ability (first change in a week thve had it) i dont kow what to exapect there. in the link you will find screen shots, status report, the email with changes they made. i appreciate all of your help

candybars

@candybars
https://drive.google.com/drive/folders/1m-Zrymij36NIQkDO_lMzRc9bC7Ju5P2k?usp=sharing

candybars

i
I found some posts that honestly, are too professioal for me to understand how - one how to still use someting more comprehensive and lose the leak, the other speicifcally on smart dns.
i can do guides like the nord but this and combining is a bit too much. if anyone is willing to peak and help incorporate this, id be more than grateful.

https://airvpn.org/forums/topic/27460-opinion-best-solution-against-dns-leak-on-pfsense/

https://www.reddit.com/r/PFSENSE/comments/8umvfw/dns_resolver_and_smart_dns/