PfSense DNS via WireGuard - slow loading time for some web pages

nsduke · Jun 5, 2024, 6:57 PM

Hello,

I need help diagnosing and solving the problem of slow-loading certain web pages on WG clients when I set the client to use Pfsense as a DNS resolver.
let me explain:

I have VPS which is also a Wireguard "server", "clients" are Pfsense (and local devices behind it), and my phone and laptop when I am not at home.
Everything is working as it should, I can access my local network, and from the local network, there is a split or full tunnel to the VPS/WG server.
PfSense is a DNS resolver with no forwarding option enabled.

The only problem is when I set DNS to Pfsense IP in the WG client, some web pages have a very slow loading time but others load normally, which is strange.
If I change the DNS IP in the client conf with the IP of the WG server, or Google DNS pages that were loading slowly now load normally.
From local lan there is no such problem and pages are loading normally

I don't think the problem is in Pfsense resolver because all web pages are resolved eventually but yet again when I change DNS in WG client pages resolve instantly.
Maybe the problem is with MTU values, I set MTU to 1420 for the WG server, clients, and Pfsense WG interface it's much better the leaving it default according to iperf3 testing but again leaving it default problem remains the same.

Any suggestions on where to look for problem?

nsduke · Feb 20, 2024, 3:02 PM

Update:

There a little or no improvements by changing MTU/MSS values, more on the laptop and less on the phone.

I have trouble finding any similar case out here. Maybe the problem is specific to my environment.

Can someone confirm that one peer (pfsense in this case) can be a DNS resolver for another peer(laptop, phone) with VPS acting as a wireguard server in the middle, without these issues ? (long time loading some web pages).

nsduke · Jun 4, 2024, 9:45 AM

Hi,

I found where the problem was a few days ago while moving pfSense to the new home server.
In a new setup, I decided to move the WiFi network to a new subnet and try to isolate it from my other LAN by adding a LAN rule to block RFC 1918 except for one device in that network (my laptop). And then a similar thing started to happen, on my mobile phone in the Chrome browser the same web pages took forever to load but others were loading normally.
So in the end it came to me that the problem was in 10.10.10.1 the virtual IP address of pfBlockerNG.

Then I added this address in wg0.conf on my VPS as the allowed IP for my pfSense peer and the problem was gone.
Loading all web pages is now normally on my mobile phone or laptop when I am using wg client and pfSense as DNS server.

hahahalol · Jun 4, 2024, 9:45 AM

@nsduke I was facing the exact same issue, and updating the AllowedIPs list of my WireGuard config with the virtual IP of pfBlockerNG as you described also solved it for me. Many thanks for reporting back with your solution!

nsduke · Jun 4, 2024, 2:54 PM

@hahahalol

No mention. I am glad you resolved the issue.

The Party of Hell No · Jun 5, 2024, 6:57 PM

@nsduke
Looking for some clarification.
It sounds like your WireGuard VPN subnet is the same subnet as pfBlockerNG - 10.10.10.1 would sit on?

nsduke · Jun 6, 2024, 4:35 PM

@The-Party-of-Hell-No

No, it's not that.
In simple worlds when using WG client and you set pfSense as DNS server which is also WG client(peer) along with pfBlocker in some casses issues starts to happen like slow loading certain website's.
Probably some problem with traffic from/to pfBlocker virtual server if you not allowed it in adding ip addres of blocker server as allowed in wg0.conf file.

brooklinman · Jan 3, 2025, 1:56 PM

I had the same issue, and the pfblocker virtual IP 10.10.10.1 was the cause. Adding it to my WG peer allowed IPs resolved the issue.