Skip rules when gateway is down not working
-
I have set Quad 9 & the Mullvad VPN DNS server in piHole.
As long as the VPN gateway is available, I want to block all traffic going to Quad 9 to force piHole to use the Mullvad VPN. When the gateway goes offline, piHole should be allowed to use the other server as well.
I tried these simplified firewall rules:
PASS pihole -> mullvad VIA vpn gateway
BLOCK pihole -> any VIA vpn gateway
PASS pihole -> any VIA any
- checking "Skip rules when gateway is down" under System -> Advanced -> Misc
The idea is that all non mullvad DNS server traffic matches the BLOCK rule when the gateway is online. As soon as it's offline, the "Skip rules when gateway is down" setting should ignore the first PASS and BLOCK rule and reach the PASS pihole -> any rule.
What actually happens though is that the BLOCK rule still apllies, even when the gateway shows "Offline Packetloss".
Any ideas would be much appreciated!
-
@joggler10
Seems to be a complicated approach to me.
I would do it with a gateway group instead.Create a gateway group, add the VPN as Tier 1 and the WAN gateway as Tier 2.
Then select this gateway way group in the pass rule for the pihole. -
@viragomann Thank you very much for the idea!
I think this wouldn't get me the desired outcome though, would it?
It's not really about via which interface the DNS traffic leaves, it's about which IP piHole is allowed to use, because I can't set a priority of DNS servers there.So when I set Quad 9 and the Mullvad VPN DNS Server, Quad 9 usually wins because it has the least latency.
That's why I want to force piHole to use the Mullvad VPN DNS as upstream server, but as a fallback, when the VPN goes down, it should still use Quad 9.I think I can only accomplish this with FW rules, or I misunderstood your suggestion...
-
@joggler10
I think, I misunderstood your intention.So you want the pihole to use Mullvad if the vpn is connected and use any DNS if the vpn is down, right?
-
@viragomann Yes, exactly!
Just as a fallback mechanism in case I'm not home to fix it, so my girlfriend doesn't get mad :DThat's why I went with this firewall rule approach, but it seems to me as if there is a bug in pfsense?
-
@joggler10
Do you access the DNS servers via DoT / DoH or unencrypted? If it's unencrypted you can simply redirect the traffic. With DoT thats not possible -
@viragomann currently pihole accesses DNS unencrypted.
What do you mean - redirect which traffic where?EDIT: I think I know what you mean - create a NAT Port forwarding rule that intercepts DNS traffic and forwards it to my desired server, right?
In that case, how would this rule then get disabled if my VPN gateway goes down? The VPN DNS Server is only reachable with an active VPN -
@joggler10
Yes, but I got the idea, that this would not work properly. If you nat DNS to Mullvad no other DNS can be used anymore.But I think it could work this way:
Remove the check at "Skip rules when gateway is down".Add a rule
pass pihole > any DNS VIA vpn gatewayAdd a floating rule to the vpn interface:
block Quick any DNS except Mullvad -
@viragomann
I think that does the trick! Thank you for your input!And if somebody else reads this - I think it's still a bug though that the "Skip rule when gateway is down" option doesn't work as expected..., Maybe somebody can reproduce this?