[noob question] pfSense as a OpenVPN client for selected devices
-
@draghmar
Maybe there is an other rule matching the DNS traffic before. Floating rule?Enable logging in the rule to investigate.
-
@viragomann Hm...I checked
Log packets that are handled by this rulebut I don't see anything inSystem logs->Firewallpoping up when browsing websites from device I'm testing from. And I don't have any other rule DNS related, just those two. I have fairly simple network here. No floating or anything fancy like that ;) -
@draghmar
Do you consider the possibility that the client may use DoH?
So what's about its HTTPS traffic? -
@viragomann I'm testing from FireFox on Win 10 with DoH disabled and DNS servers set to router IP.
What about HTTPS traffic? -
@draghmar
When using DoH the DNS traffic goes over HTTPS protocol.Never seen you rule set, so I cannot say if they are ok.
But for testing, direct the whole upstream traffic from the 'VPN clients' to the VPN server.
Verify that the policy routing rule matches. -
@viragomann Those are my NAT and rules:
Like I said - nothing complicated. ;) There are some NATs for web server and such. But that's it. The only additional thing are the rules for OpenVPN and for VPN interface. And those are ones we've discussed in this thread.How can I direct like you said? I thought I just did force every device that should go through VPN to VPN server. The rule for that is visible on the list above.
Is there way to make some artificial connection to the DNS server that so could be sure that the flow is correct? I mean something like trying to connect to DNS IP having DNS port. I'm thinking here that I could try connect to router IP this way to check if it's redirected. I'd like to eliminate other factors this way because the only thing I know about testing this is to simply hit some URL from specified device...
-
@draghmar
You must not set a source port in the DNS rule, it has to be any. -
@viragomann Yup, that was it! Thanks! Now everything seems to work as it should. :D
