Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    VLAN Over VPN Works, But How to Handle DNS?

    Scheduled Pinned Locked Moved DHCP and DNS
    12 Posts 3 Posters 581 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I
      iggybuddy6 @keyser
      last edited by iggybuddy6

      @keyser
      Thanks for the answer.
      When I tried to force the dns on the vlan (10.10.99.0/24) dhcp server the clients were unaware on how to route traffic to 10.2.1.1 or 10.2.2.1 (the 2 dns addresses on the 2 VPN interfaces).
      Those routes are unknown. The fw rules create an abstraction for the traffic (the client doesn’t know its routed via vpn).. where clients need instead to be aware of vpn dns routes.
      How would u achieve that exactly?

      keyserK 1 Reply Last reply Reply Quote 0
      • keyserK
        keyser Rebel Alliance @iggybuddy6
        last edited by

        @iggybuddy6 I’m not sure I understand how your setup is created/working then. How is your pfSense able to reach those DNS servers if it doesn’t know the route to them? If your pfSense know the route to them, your clients should as well if they use pfSense as the default gateway.

        Love the no fuss of using the official appliances :-)

        I 1 Reply Last reply Reply Quote 0
        • I
          iggybuddy6 @keyser
          last edited by

          @keyser
          Thanks again for the reply. It was maybe a fw rules issue.

          V99_VPN uses the 2 VPN servers DNS.
          I can now see the traefik client go over vpn dns and seems ok now.

          Does this look like a good setup to you?
          I’m just learning pfsense. Thx a lot

          IMG_0012.jpeg IMG_0013.jpegIMG_0015.jpeg IMG_0014.jpeg

          keyserK 1 Reply Last reply Reply Quote 0
          • keyserK
            keyser Rebel Alliance @iggybuddy6
            last edited by

            @iggybuddy6 It seems to work as intended. I can’t really comment on the setup as I cannot see the whole picture. But I assume everything is as intended as you are also using the ProtonVPN endpoints as DNS servers.

            Love the no fuss of using the official appliances :-)

            I 2 Replies Last reply Reply Quote 0
            • I
              iggybuddy6 @keyser
              last edited by

              @keyser thanks a lot 🙏

              hydnH 1 Reply Last reply Reply Quote 0
              • hydnH
                hydn @iggybuddy6
                last edited by hydn

                @iggybuddy6 I’m using a very similar setup with NordVPN. You can set the DNS on the DHCP interface settings .

                However, that means DNSBL won’t see that traffic if you override. So what I did was leave them blank but then manually set the NordVPN DNS IPs on my TVs and other devices that I want to use the VPN DNS.

                This way unbound still see the traffic and dnsbl blocks will work but the dnsleak test will show only the DNS you set manually on each device.

                I’m always split between not using DNSBL at all VS using it. But today I’ve settled on keeping the DHCP DNS settings untouched and instead set the VPN DNS manually on each device. Because he VPN will still work even when not using nord’s DNS it’s just that the traffic isn’t hidden completely but the location set by your VPN, Miami, New York, etc will work exactly the same.

                I 1 Reply Last reply Reply Quote 0
                • I
                  iggybuddy6 @hydn
                  last edited by iggybuddy6

                  @hydn thx for the link outlining your setup. I will go through it.
                  For my use case I care more about privacy (having traffic and dns within the VPN) and I’m currently willing to give up the extra dnsbl checks. I plan to block/redirect anything else (sw/devices) trying to override the VPNs DNS.

                  hydnH 1 Reply Last reply Reply Quote 0
                  • I
                    iggybuddy6 @keyser
                    last edited by

                    @keyser mmh now it’s not working again. I’m not sure if the issue is with NAT rules. I haven’t changed anything and nslookup go on timeout with state no traffic.

                    IMG_0016.jpeg IMG_0018.jpeg

                    1 Reply Last reply Reply Quote 0
                    • hydnH
                      hydn @iggybuddy6
                      last edited by

                      @iggybuddy6

                      Whether you keep DNSBL or not remember that there is malware blocking available via Cloudflare DNS and Quad9. Check them out if you haven’t already. But of course you lose logging, privacy of doing it locally and pfblockers geoIP, category blocking etc.

                      It’s a lot to give up if you enjoy that data and control.

                      I 1 Reply Last reply Reply Quote 0
                      • I
                        iggybuddy6 @hydn
                        last edited by iggybuddy6

                        @hydn Appreciate the heads-up.

                        In general settings, I’m using Quad9 over DoT. The network uses the DNS Resolver with pfBlockerNG and DNSBL, listening on the network interface addresses. This all works fine.

                        What I’m now trying to do is to isolate part of the network by using a VLAN and route all its traffic—including DNS—exclusively through the VPN. From a privacy perspective having VPN traffic and DNS within the VPN seems to be the safest approach. I’m fine giving up some control and filtering provided by pfBlockerNG and popular public DNS.

                        I’m still not quite sure how to set this up properly. I tried configuring the VLAN’s DHCP server to hand out the VPN’s internal DNS IPs (10.2.1.1 and 10.2.2.1) for the 10.10.99.0/24 subnet. It looked like it was working earlier, but now DNS queries are timing out.

                        I have disabled DNS Resolver on the vlan 99 interface.
                        The 2 Gateway VPN IPs are used as dns servers on my host /etc/resolv.conf

                        86bc21ae-69f8-41da-b82e-35ce06810538-image.png

                        7a22fe03-c791-4d75-8e5c-58fd80df1c49-image.png

                        nslookup timeout
                        501415eb-3e40-4f1e-a0e2-d80f1b446853-image.png

                        Traffic going out from VLAN to VPN DNS
                        59e063d0-febe-4c03-9e10-a8b6afb26eaf-image.png

                        traffic seems coming back from the VPN (this is correct as I have 1:1 NAT on 10.2.0.2 to 10.2.1.1)
                        0b095dd3-f8e9-4b14-a431-1069c9cb85f6-image.png

                        I suppose on the VLAN I should see traffic response coming in from 10.2.1.1 but I do not and that is why I see "timed out".

                        The nat seems to work I think. I am confused on why the DNS response is not properly routing back to the client

                        my 1:1 NAT
                        217c0de8-17cd-4d0c-81e1-0ef5ba5b32e2-image.png
                        my outbound
                        48ab8aed-4cd5-4edb-82b2-78c13dece434-image.png

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.