some websites are being blocked not sure what i got miss configured
-
Yeah I would expect to need both those servers set via the VPN WAN. They are probably only accessible over the VPN.
Are you passing DNS servers to the internal clients specifically via DHCP? BY default the pfSense interface IP is sent so clients would use Unbound in pfSense. But that means if pfSense can resolve elegoo.com then clients using it should. So that fact they cannot implies something is different.
The fact canadacomputers.com doesn't respond to ping is not an error. It should still respond to http/s.
This is probably failing because DNS requests are leaving over the VPN and https requests are not resulting in a mismatch. The same reason Netflix fails when requests don't match the DNS server locations.
When you use only the VPN providers DNS servers all traffic has to use the VPN to prevent that mismatch. -
@stephenw10 so
under the dhcp server lan i point the gateway and dns to 192.168.0.1and then the route policy bypass you or john told me to setup was to be able to get the vpn and wans to work properly a while back
ya like in the tutorial for nordvpn they set it up 2 dns servers under general setup 1 they setup to the nordvpn openvpn connection and they set the other one to none
now i dont know why you set it to none??? but you do... i have tried putting that dns for the the pppope wan port but that didnt help... and if i set it to 1.1.1.1 then it makes my nordvpn unsecure leaking so defeated the purpose the vpn
but ya i set it to 192.168.0.1 and the only thing thats different is the host over ride where it points to 192.168.0.32 which is my lancache and that just goes out 1.1.1.1 and i tried my dns but that didnt solve the 2 websites and i sure its not only these 2 websites ...
so can it be fixed you think? or what not or is there another page in pfsense i can screen shot for ya
its probably 1 little thing that is conflicting thats screwing up for everbody as it goes lol
-
or would the best be which i havent finished i did a Vlan DMZ
so LAN Be VPN and DMZ would be the WAN
would that solve the issues instead of that route policy bypass and the dns issue i having
where the vpn be secure and the dmz would be the gaming computer would be on the wan still point to 192.168.0.1 so that the lancache would still work but would go out the wan no issues
or would i still be running into issues?
-
and like now the
elegoo .com works on the WAN PC but the canada computers website doesnt
but both are working now on the the VPN its very strange... and i havent touched nothing on pfsense i just been letting it idle from your last reply
does that mean anything?
-
and now the WAN computer the elegoo webpage doesnt work like its something thats turning on and off thats making it work and then not work...
like how come not all websites just dont fail... or all work i know you mentioned about netflix but like the issue i having its up and then its down like frig it needs a kick in the butt lol
-
Try setting external DNS servers manually on a client that's using the WAN directly and restest. So maybe use 8.8.8.8/8.8.4.4.
If the Lancache server is already set manually to use 1.1.1.1 try to connect from there.
This is almost certainly a DNS issue IMO.
The only other thing it could really be is some sort of MTU problem but that would only likely apply when connecting via the VPN.
-
@stephenw10
so setting to 8.8.8.8 8.8.4.4 and connecting to elegoo and canada computers both works fine.. on the WAN PC no issuesi tried setting the the WAN PC to 192.168.0.33 which is the lancache DNS server for the lancache server at 192.168.0.32
both are currently working that way too..but at 192.168.0.1 nope fails on both elegoo works for a few minutes but fails after a bit and canada computers doesnt wanna work period
-
Ok it sounds like something is filtering that in Unbound then. Pretty much has to be DNS-BL in pfBlocker.
-
@stephenw10 here is the screen shots of the dns bl
and ill try disabling the pfblocker to see if that will fix it?
-
so disabling pfblocker and letting it sit 10 minutes the WAN computer can not still access either of the 2 websites... still cant ping them or goto the webpage
-
Can pfSense resolve both URLs correctly?
canadacomputers.com does not respond to ping so that will always fail. You need to try a TCP test on port 443. You can do that in pfSense using Diag > Test Port.
Or from a client using curl or telnet like:steve@steve-NUC9i9QNX:~$ telnet canadacomputers.com 443 Trying 52.233.38.251... Connected to canadacomputers.com. -
@stephenw10
so on the wan computer
caanada computers site will not work in the browser.... now the elegoo website it wont work then it will at at moment say maybe min or 2 part of the website works then it goes to page cant be found or what not... then might come back.. same like i mentioned ifi reboot pfsense typically both sites work then they stop working within 5 min or canada computer site wont work period but the elegoo will work for about 5 min after a pfsense reboot but then goes down
-
Ok check the states when that is failing. Is it sending traffic out of the WAN correctly?
-
@stephenw10 here is the states for the canada computers when it fails... i tried to find the ip for elegoo.com website but i couldnt find it so i couldnt do screen shot
-
Hmm, I note canadacomputers.com resolves to a completely different IP address for me. Does it resolve to that against 8.8.8.8 for example?
If not then there's something odd with the VPN DNS servers I'd suggest.
steve@steve-NUC9i9QNX:~$ dig +short @103.86.99.100 canadacomputers.com 52.233.38.251 steve@steve-NUC9i9QNX:~$ dig +short @103.86.96.100 canadacomputers.com 52.233.38.251 steve@steve-NUC9i9QNX:~$ dig +short @8.8.8.8 canadacomputers.com 52.233.38.251 -
@stephenw10 so i got
-
Hmm, that non responding server is that one set without a specific gateway?
None are returning that 198 IP address though. That was the client resolved that?
-
@stephenw10 the none under general setup where i have it set to none for that one thats not showing a result
and ya on the wan client computer id get the 198.x.x ip but isnt that the range of the 192 for private networks i forget now
and how its all setup is
the dns resolver is set for nordvpn
all ips use 192.168.0.1 as the the dns and gateway ip
the 192.168.0.32 is for the host over ride to point for those lancache
i do use Avahi service to access my other networks to help with Home assistant it just helped
oh also i found the rededit website doesnt work on the wan client too... i figured it was my site to site openvpn connection connecting to my sisters lan always.. was issue but disabling it and letting it sit 15 min didnt solve that issue either
so something conflicting
but if i add 1.1.1.1 wan ppope under general setup makes things work but it defeats the purpose of my vpn as it makes it unsecure its too bad you cant block the wan gateway going on the vpn side... its just leaks over or what not
-
That 198.18.1.187 IP is a public address but it's unclear where it's coming from. Just Googling it shows that subnet is used by some services to speed up connections where DNS resolution fails.
You have anything running on the test host locally that filters DNS? Antivirus program? Browser extensions etc?
-
@stephenw10 if you mean test host like the Wan PC which is my gaming pc
no no dns filtering or extensions i really dont know what those are or i guess i do plugins i guess
but no dont have stuff and i only have microsoft antivirus
does it help if i send you my pfsense configuration file and then you can look at it to see if something is mis configured on it?
and i thought on the general setup page when you set the the dns to the specific gateways
that they would be seperateso the Wan PPOE if you set it to 1.1.1.1 then only the WAN(LAN) rules would access the 1.1.1.1
and when you set the VPN Nord to the 103.x.x.x then the NordVPN (LAN) rules would access the 103.x.x.x. and they wouldnt mix but thats not true
that was my undersstanding on that page where i though they be seperate... but as soon as you setup for the WAN PPOE it leakes over to the VPN and becomes unsecure yet it worksso im guessing you really can only have 1 or the other right? or no thats not right you should be able to have both.. and be able to seperate them securely
or you have to just run a 2nd dns server like i have on my unraid box but i only use it for my lancache prefill to run
