All Devices use DNS Resolver and General Setup except select IPs?
-
I have set up OpenVPN using NordVPN and it is working as intended. I followed this guide: https://youtu.be/AouyT76yMmU
The DNS resolver has "All" network interfaces selected.
The outgoing network interface is only the NordVPN interface.
DNS Query Forwarding, DHCP Registration, and Static DHCP are all checked.
Under General Setup 103.86.96.100 (NordVPN DNS Server) is set to "none" and 103.86.99.100 (NordVPN DNS Server) is set to the NordVPN Interface.
All is well with the setup.
However, certain programs or devices are not happy with this setup. Amazon Echo devices are offline, and Netflix and Amazon Prime Video won't connect. Since the Netflix and Amazon Prime Video apps are only used through Nvidia Shields, I just set the DNS override in the Shield itself to correct the issue. However, for the Echo devices, I don't have an option for a DNS override.
How can I set up a group of devices identified through their static IP address to use a separate DNS server/s? I created an Alias for these devices, and I imagine that using Gateway Groups I may be able to accomplish this, but I am not sure how to proceed.
Any help would be greatly appreciated. Thank you for your time.
-
@Asmodeus666 said in All Devices use DNS Resolver and General Setup except select IPs?:
However, certain programs or devices are not happy with this setup. Amazon Echo devices are offline, and Netflix and Amazon Prime Video won't connect. Since the Netflix and Amazon Prime Video apps are only used through Nvidia Shields, I just set the DNS override in the Shield itself to correct the issue. However, for the Echo devices, I don't have an option for a DNS override.
When an application on a LAN device connects to some internet based service like 'netflix', netflix doesn't know what DNS you've used to obtain the IP address.
If the application knew the IP upfront, there isn't even DNS involved.If, for example, "103.86.96.100" doesn't want to resolve 'netflix.com' for you, then you have a problem : the application uses the DNS "103.86.96.100", got 'nothing' back, so it fails to connect.
That's not the case I when I tested :[24.03-BETA][root@pfSense.bhf.tld]/root: dig @103.86.96.100 netflix.com +short 54.237.226.164 3.230.129.93 52.3.144.142
Note : I'm not a client of Nord OpenVPN.
But I guess the most obvious reason why amazon or netflix doesn't work : you are breaking their usage conditions : use your WAN ISP IP and you will have access to their content.
After all : "netflix and amazon" know what IPs are the ISP IPs, and they also know what IPs are used by VPN ISPs. And if your VPN IP wasn't listed, it will be on the list very soon.I've seen the adds : you want to see the russian netflix while living in Ireland ? Get a VPN IP in Moscou and you see the content.
A bit strange, because the Netflix login account you use is "Ireland" based ... So Netflix knows what you are doing, using a VPN or not.
And again, they know what IP is from an ISP, or VPN ISP.The real solution is : policy route all traffic through the VPN, except the LAN devices (IPs) that need to access services that are VPN restricted.
-
Thanks for the reply. However, I'm not breaking the usage conditions for Netflix or any streaming service. I mentioned in my post that on the devices (Nvidia Shields) that access Netflix and Amazon prime video, I have set the DNS override on the Nvidia Shields themselves for Google's DNS servers, and they work fine now. It is only the Amazon echo devices that seem to be having problems now, and there doesn't seem to be a way to set the DNS servers for the each of the echo devices in the Amazon app.
I'm not sure why this specific problem is occurring, as everything else seems to be working without a problem. All my PCs, mobile devices, my Plex server, my Hubitat smart home, etc., along with all the software and services with the exception of, interestingly, Evernote. If it's connected to the network it won't load. If I change the DNS servers in pfSense to Google's, all of a sudden it loads the data on the cloud. Besides that it was only the aforementioned Netflix and Amazon video prime, along with the Amazon echo devices. I've checked most if not all my other devices etc and everything seems to be working in order. I was under the belief that, as you said, Netflix and other sites do not know the DNS server that you have used... I have no logical reply for you based on my limited knowledge and can only provide the empirical evidence that when the DNS servers are changed to Google's it will work with nothing else changed. Strange, eh?
I agree with your solution
"The real solution is : policy route all traffic through the VPN, except the LAN devices (IPs) that need to access services that are VPN restricted."
However, as I stated in my original post:
"How can I set up a group of devices identified through their static IP address to use a separate DNS server/s? I created an Alias for these devices, and I imagine that using Gateway Groups I may be able to accomplish this, but I am not sure how to proceed."
I am relatively new to pfSense and I'm not sure how to accomplish this based on my current configuration.
If there are any logs etc that I can provide that would be useful please let me know.
Thank you for your time and patience.
-
@Asmodeus666 said in All Devices use DNS Resolver and General Setup except select IPs?:
How can I set up a group of devices identified through their static IP address to use a separate DNS server/s? I created an Alias for these devices, and I imagine that using Gateway Groups I may be able to accomplish this, but I am not sure how to proceed."
I am relatively new to pfSense and I'm not sure how to accomplish this based on my current configuration.
The good news, and bad news : your question isn't really pfSense related.
See it like this : you have a car.
Now you want to drive it on the road, but you don't know how to how to drive backwards.
It doesn't really matter what type of car you have, the principle is always the same.
Ones you know how to it with a ford, you will be able to do it again with a volvo.Some text I could find while spending a couple of seconds searching :
Policy Routing Configuration
Route WAN through the VPN tunnel -
You seem to believe that I came here without first attempting to figure it out myself. I have read not only the documentation online for pfsense, but as well as other sites and forums related to this. Additionally I have also watched a multitude of videos such as the one I followed to set up openvpn with nordvpn to start with. Nevertheless I'm still not sure how to continue due to the current configuration that was set up for openvpn and nordvpn. Normally it only takes a single example for me to be able to catch on, but unfortunately it has eluded me. I have no qualms about admitting my ignorance here. Everyday I surprise myself with how much I do not know.
As I stated, I am new to pfSense, and I thought that this forum was to assist new users. By no means do I expect nor do I request for you or anyone else to feel that they have to hold my hand and carry the burden of the tasks I'm attempting to accomplish.
It seems I'm mistaken in the purpose of this forum and I withdraw my request for assistance. Please accept my apologies.
Thank you for your time and have a good day, I will not burden this forum further.
-
@Asmodeus666 said in All Devices use DNS Resolver and General Setup except select IPs?:
Normally it only takes a single example for me to be able to catch on
Without knowing any details, I have to presume ....
Go here : Confirm connection success and from there, scroll about tow screens up.
You'll find the place where a LAN firewall is created that uses an "advanced" setting : selecting the EXPESSVPN interface.
The rule has the instruction to route all the matching traffic from "192.168.1.0/24" (LAN) over that gateway == the VPN.Your mission : create another firewall rule that uses an IP alias, an alias that contains all device that you do not want to route over the VPN - and for this rule you don't set any advanced firewall rule option.
This firewall rule should be placed just above the main policy routing firewall rule.
Basically, you create a pass rule like this :where the green alias contains the IPs that shouldn't route over the VPN.
Test phase : use a device that is listed in the alias.
You should see that state counters go up from 0/0 ot x/y.Forget for now the first rule - and last rule (IPv6).
The second rules is the exception rule. Traffic that matches this rule goes out over WAN 'normal' (no VPN)
The third rule is the main policy rule that forces traffic out over the VPN.Keep in mind that these rules 'rule' LAN device traffic.
You probably have to add another rule at the top of the LAN firewall rules that passes DNS traffic over to pfSense (port 53, UDP and TCP, and select any as a destination, or "Firewall itself").
That is, this is needed if you want your local devices to use pfSense as the dns source.Also : as this is nordvpn .... you saw the discussion last week on this forum ?
About how fckd up (for some, or all clients ?) nord is right now ?See here : https://forum.netgate.com/topic/186580/dns-suddenly-broken-on-some-vlans?_=1712331931965
If that story is any true, is still valid, then I've one major advice for you : Keep it simple, ditch the VPN.
-
Thank you for replying. Obviously, I was not detailed enough originally; my apologies.
Allow me to better explain, and please correct me as needed in my assumptions.
Per the instructions for setting up NordVPN (https://support.nordvpn.com/hc/en-us/articles/20382523899281-pfSense-2-5-Setup-with-NordVPN) the Network Interfaces are set to ALL and the Outgoing Network Interface is only the NordVPN interface in the DNS resolver.
Forwarding Mode is enabled, which means DNS queries are forwarded to the DNS servers defined under General Setup.
In the General Setup, I have only two DNS Servers listed, both of which are NordVPN DNS servers.
103.86.96.100 is set to none, which I assume means that it is applied to all interfaces.
103.86.99.100 is set to only the NordVPN interface.
If I understand this correctly, this means that all interfaces, whether or not they are using the NordVPN Gateway for normal traffic, will use the NordVPN interface/gateway for the DNS queries.
Instead of applying the NordVPN interface to a whole network for all traffic, I am only applying it to select devices. I created an Alias called VPN_OUT_ENDPOINT for those devices that will use the NordVPN interface.
Under the Outbound NAT Rules I have the following:
In my LAN Rules I have the following:
The first two rules are of no consequence. VLAN50 is only for my cameras and does not have access to any WAN. Only select devices can access the VLAN.
You can see my 3rd rule allows the Devices under the VPN_OUT_ENDPOINT to the NordVPN gateway. Should the destination of "This Firewall" be changed?
The WAN rules Block traffic from VPN_OUT_ENDPOINT so that if the NordVPN interface goes down for whatever reason traffic from those devices won't go out the WAN.
So far so good...Here is a snapshot of what I see if I use pfTOP and set it to port 53
I am seeing both NordVPN DNS server IPs, as well as Google and Cloudflare DNS IPs which I set on certain devices to override, such as my Nvidia Shields. I assume this is what we would expect to see. I can see devices that are using the WAN gateway, as opposed to the NordVPN gateway, are using NordVPN's DNS servers.
Creating the rules has not been a problem for the most part, though perhaps I have made errors.
Where I get stuck is where I am supposed to add the DNS servers that select devices would use (the echo devices for the moment). If I add, say, the Google DNS servers to the WAN gateway in the General Setup, it would allow all devices on the WAN to access those DNS servers. Since my goal is to only allow select devices to access Google's DNS servers, where would I set this up at?
I created an Alias group for the devices that I want to use Google DNS servers, but I am not sure where I would insert the DNS Server information. Any rule I create using that Alias must be pointed toward a gateway, but all the gateways are using the DNS servers listed in the General Setup.
I contemplated using Gateway Groups as a solution, but I am at a loss. Perhaps the way I have it set up does not allow for what I intend...
I have reviewed what you wrote last, and I do not think it applies here, correct? Since only select devices are connected to the NordVPN gateway, I do not need a rule to block all the other devices from having access to the NordVPN gateway.
My goal isn't to block certain devices from using the VPN gateway for all traffic (since most of my devices don't use the NordVPN gateway), but to use alternative DNS servers. But even pointing select devices toward the WAN still uses the NordVPN DNS servers per the General Setup.
I did not have to add another rule at the top of the LAN firewall rules that passes DNS traffic over to pfSense, since this LAN rule seems to accomplish the same:
I also looked at the link you sent me regarding how others have experienced problems with NordVPN. However, besides the few devices and a few sites (Netflix, Prime Video, and Evernote), everything else is working fine as far as I can tell. The device using the NordVPN gateway is running Blue Iris and QBittorrent and has no issues. Since NordVPN blocks most ports, my Blue Iris server is using Ngrok so I can access my cameras from outside my LAN. No issues.
I tried the dig @1.2.3.4 netgate.com command and the connection timed out, no servers could be reached. Let me know if there is any other test I should try.
Ultimately, if I can have select devices use Google's DNS servers, etc., then that will solve my problem.
Lastly, I found it perplexing that if I attempt to use the Evernote app on my PC (connected to WAN gateway, but DNS is set to Nord and uses Nord gateway) the app will not load, as you see below:
But if I use the NordVPN desktop app and set it to split tunneling where only the Evernote will use the VPN
All of a sudden it works...sigh...
-
Maybe I am misreading, but if you want deviceA to use 8.8.8.8 then in the DHCP reservation set the DNS option to 8.8.8.8 and that device will be given the DNS server you want. You may need to add the DNS server address to your split tunnel rules.
-
@Asmodeus666 said in All Devices use DNS Resolver and General Setup except select IPs?:
Lastly, I found it perplexing that if I attempt to use the Evernote app on my PC (connected to WAN gateway,
This PC is connected to what pfSEnse interface ? WAN ??
-
Ah, of course. I was so intently concentrated on the WAN & LAN rules, and the DNS Resolver / General Setup Rules, that I missed the most obvious place, the static IP assignments. Thank you, I was going in circles like an idiot.
-
Yes, the PC is connected to the WAN, not NordVPN. My public IP address is the real one. However, DNS queries are sent to NordVPN's DNS servers via the NordVPN gateway per the DNS resolver. Below is the results of DNS leak test for this PC.
When I ran this DNS leak test on the PC that is connected to the NordVPN gateway, I got the same results.
Anyhow, for whatever reason, Evernote won't load on my PC (connected to the WAN interface). However, if I turn on the NordVPN desktop app, which is set to split tunnel and only the Evernote app is routed through the VPN, it starts to work.
This makes no sense to me, since I assume the NordVPN desktop app will use the NordVPN DNS servers once it connects to the VPN.
FYI, I went into the DHCP static settings for my echo devices and set the DNS servers to Google, and they are all up and running now.
I can only assume that these are lingering issues with NordVPN per the link you previously provided.
-