some websites are being blocked not sure what i got miss configured
-
@stephenw10 here is the screen shots of the dns bl
and ill try disabling the pfblocker to see if that will fix it?
-
so disabling pfblocker and letting it sit 10 minutes the WAN computer can not still access either of the 2 websites... still cant ping them or goto the webpage
-
Can pfSense resolve both URLs correctly?
canadacomputers.com does not respond to ping so that will always fail. You need to try a TCP test on port 443. You can do that in pfSense using Diag > Test Port.
Or from a client using curl or telnet like:steve@steve-NUC9i9QNX:~$ telnet canadacomputers.com 443 Trying 52.233.38.251... Connected to canadacomputers.com. -
@stephenw10
so on the wan computer
caanada computers site will not work in the browser.... now the elegoo website it wont work then it will at at moment say maybe min or 2 part of the website works then it goes to page cant be found or what not... then might come back.. same like i mentioned ifi reboot pfsense typically both sites work then they stop working within 5 min or canada computer site wont work period but the elegoo will work for about 5 min after a pfsense reboot but then goes down
-
Ok check the states when that is failing. Is it sending traffic out of the WAN correctly?
-
@stephenw10 here is the states for the canada computers when it fails... i tried to find the ip for elegoo.com website but i couldnt find it so i couldnt do screen shot
-
Hmm, I note canadacomputers.com resolves to a completely different IP address for me. Does it resolve to that against 8.8.8.8 for example?
If not then there's something odd with the VPN DNS servers I'd suggest.
steve@steve-NUC9i9QNX:~$ dig +short @103.86.99.100 canadacomputers.com 52.233.38.251 steve@steve-NUC9i9QNX:~$ dig +short @103.86.96.100 canadacomputers.com 52.233.38.251 steve@steve-NUC9i9QNX:~$ dig +short @8.8.8.8 canadacomputers.com 52.233.38.251 -
@stephenw10 so i got
-
Hmm, that non responding server is that one set without a specific gateway?
None are returning that 198 IP address though. That was the client resolved that?
-
@stephenw10 the none under general setup where i have it set to none for that one thats not showing a result
and ya on the wan client computer id get the 198.x.x ip but isnt that the range of the 192 for private networks i forget now
and how its all setup is
the dns resolver is set for nordvpn
all ips use 192.168.0.1 as the the dns and gateway ip
the 192.168.0.32 is for the host over ride to point for those lancache
i do use Avahi service to access my other networks to help with Home assistant it just helped
oh also i found the rededit website doesnt work on the wan client too... i figured it was my site to site openvpn connection connecting to my sisters lan always.. was issue but disabling it and letting it sit 15 min didnt solve that issue either
so something conflicting
but if i add 1.1.1.1 wan ppope under general setup makes things work but it defeats the purpose of my vpn as it makes it unsecure its too bad you cant block the wan gateway going on the vpn side... its just leaks over or what not
-
That 198.18.1.187 IP is a public address but it's unclear where it's coming from. Just Googling it shows that subnet is used by some services to speed up connections where DNS resolution fails.
You have anything running on the test host locally that filters DNS? Antivirus program? Browser extensions etc?
-
@stephenw10 if you mean test host like the Wan PC which is my gaming pc
no no dns filtering or extensions i really dont know what those are or i guess i do plugins i guess
but no dont have stuff and i only have microsoft antivirus
does it help if i send you my pfsense configuration file and then you can look at it to see if something is mis configured on it?
and i thought on the general setup page when you set the the dns to the specific gateways
that they would be seperateso the Wan PPOE if you set it to 1.1.1.1 then only the WAN(LAN) rules would access the 1.1.1.1
and when you set the VPN Nord to the 103.x.x.x then the NordVPN (LAN) rules would access the 103.x.x.x. and they wouldnt mix but thats not true
that was my undersstanding on that page where i though they be seperate... but as soon as you setup for the WAN PPOE it leakes over to the VPN and becomes unsecure yet it worksso im guessing you really can only have 1 or the other right? or no thats not right you should be able to have both.. and be able to seperate them securely
or you have to just run a 2nd dns server like i have on my unraid box but i only use it for my lancache prefill to run
-
The DNS servers you set in System > General Setup are what the system itself uses for resolution. They are also when Unbound uses if it is set to forwarding mode.
The gateways set next to each of those DNS entries cause pfSense to add a static route for that address via whichever address is set. So in a dual WAN situation it's recommended to set at least one DNS server on each WAN to allow access to something if one WAN goes down.
If you don't set a gateway there the system will just use the system default route which might vary.
However when you set outbound interfaces in Unbound the route-to rules will always force traffic via the gateway on those WANs (if there is one).
So when you add a DNS server without a gateway like that is allows pfSense to resolve things before the VPN connects or if it ever goes down. And that allows it to resolve the DNS server itself for example.
-
@stephenw10 i kinda understand... i a visual learner so i with my dislexia i have to re read things you write sometimes 10 times to understand and i kinda understand but i need pictures but i kinda understand.... i guessing we still cant solve the issue easilly...
cuz thats how in my head i thought thought things that the general setup you can specify the specificit dns for each gateway and then it keep it seperate.. but its mostly for dual wan not for a WAN and vpn and keep them secure seperately... and work perfectly fine like isolated...
ya no dual wan here... my little 5megabit dsl i cant even get 3 megabit half the time lol but i try to learn pfsense and set it up properly
i guess another way ? 2 pfsense boxes 1 for wan and 1 for vpn and that way they would be be isolated.. right and then there be no issues?
or how would you do it... as i try to get the dns for my local network as i dont always remember my ip address but i remember the server names i gave them.. but i guess i should learn or least write the ips down that way you dont relie on the dns to resolve the local ips.
always learning and trying to get a secure vpn a wan and a lancache and all use the 192.168.0.1 as the dns
and i always wonder... does microsoft use microsoft windows server for there server or they use a different brand things that run through my head lol
-
pfSense sees the VPN interface as a second WAN. It's really only the other config that makes it different. No failover or load balancing fr example, that wouldn't be valid for a VPN interface like this.
Yes, you could use two pfSense boxes and that can make it seem logically easier to understand but shouldn't be necessary.
You can add host overrides for local resources so you can access them by hostname.
To resolve this current issue we need to find out where that other IP address is coming from. It looks like either the VPN DNS server is returning it when you access it over the VPN. Or you have some local override for it set to that address somehow.
Try running tests for the host that's failing to connect to it again all the DNS servers in play.
Try digging again localhost in pfSense to check for some locally cached bad value.
-
@stephenw10 ah ok so pfsense sees it as a 2nd wan not like a wan and vpn is there such things or is that enterprise big company stuff or thats out of the scope
but always learning
so far havent found the issues
so far i can get Rededit canada computers and elegoo all to work on the VPN client computers
but none will work on the WAN clients
they all point to 192.168.0.1
i only use host over ride for the epic games steam battle net and windows update to go to the lancache drive and then it goes out to 1.1.1.1 as the upstream dns
now i not sure how to test more cuz i just usually setup and let pfsense do its thing lol...
and what you mean locally cached bad values in pfsense in the localhost... how to do check.. . is that the state thing you has me do.. or the routes or the dnslook up...
and i dont undestand why on the wan the elegoo website will work for a few min but then it will stop working but it will work again at random times if you can catch it then wont work again on the WAN lan pc its like you know when you have 2 computers with 2 same Ips and they are conflicting and one will work but then the other computer will work when the other goes down.. cuz they conflicting... its like that.... least thats how it feels .....
i figured i must have like a toggle or a Check box set thats causing the issue?
-
Ok so you are only seeing this issue on clients that use the WAN directly?
And you still have Unbound set to use only the NordVPN interface for outgoing connections?
This feels like something on the server side seeing a mismatch between the source address and DNS servers.
-
@stephenw10 ya only seems to be affecting the WAN clients
is it fixable? other then needing like i guess a 2nd dns server i guess id have to run as i was thinking pfsensse could run it all in once or is it too much over head?
is there anywhere i can look futher on pfsense that causes it where the WAN clients will work for rededit sites but then it goes down just like the elegoo where it will work for a few min then its down for who knows or least when you reboot Pfsense then when its rebooted least elegoo website works fine for about 5 min then it totally un reachable
what does that all mean?
-
You can configure the DHCP server to pass some other DNS servers to those clients that are using the WAN directly.
It's possible to run both DNS servers in pfSense with one on a different port. You can then forward requests to that from selected clients like those using WAN. I wouldn't recommend that setup though.
-
@stephenw10 ya ill give that a try then pass the prefill cache dns server then for the wan clients
oh and why isnt the different ports recommended?
