OpenVPN client weirdness once again



  • I'll try to keep it short  :'(

    1. OpenVPN client to PIA.
    2. Only selected websites to go via PIA, so LAN-rule: LAN-NET -> Alias -> Gateway: PIA_VPN4.
    3. This has worked for 6 months flawlessly.
    4. I discovered there is a DNS leak (dnsleaktest.com, ipleaktest.net). Weird stuff, wasn't there before, apparently, suddenly on 2.2.1 it (I will not again upgrade to 2.2.3; did that, services kept on restarting, had to roll back to 2.2.1 and therefor will have to stay there until 2.2.3 problems are fixed).
    5. In General Setup there is one DNS server per gateway, as I have dual WAN and the text says in that case there has to be 1 unique DNS per gateway.
    6. I also had not flagged 'do not use DNS-forwarder'.

    So the DNS leak. Googling I found threads in this forum where amongst others Dok was surprised the firewall wasn't actually using these DNS per gateway settings. I wonder with him. However, admin said 'not a bug, a feature'.

    Now, for the frustration: I did flag 'do not use DNS-forwarder'. Et voila: dns leaks gone according to these two sites. But: now all traffic is sent via OpenVPN, not just the addresses in the alias.

    I take it for some reason or the other this also is a feature and not a bug, but nevertheless: I would like this feature not to be here; I simply want the firewall to do as I tell it, and told if for the last 6 months: only the traffic in the alias should go via the VPN, all the others should not.

    As now I can't purchase stuff, since my vendors think I'm hacked since I suddenly arrive out of Finland instead of out of NL. And so does Gmail think.

    I did reboot the box, after an uptime of 13 days, but that didn't solve anything either.

    If I sound frustrated and slightly irritated then that is because that is how I feel, my apologies. For some reason or the other pfSense always works shortly, and then the next problem pops up. I think I must have wasted weeks of my life freshly reinstalling and freshly customizing all packages (since a restore of packages has never ever worked since 2.0). I have wet dreams about a  'set it and forget it'-scenario. I thought I had found that when I joined pfSense, but not a day goes by that I don't have to log in to see what's wrong this time.

    As an illustration of that, see the attached pic: and I don't even have these services actived in Squidguard.

    I'm in debt to people who could and would be so kind to help me out of my misery.

    Thank you for wasting your time reading this, and thank you in advanced for any help very much,

    Bye,






  • Banned

    Afraid I don't have Squid or anything related installed, so cannot advise - but, regarding the spam, yeah this needs some serious work. Noone wants this kind of "notifications", and there's literally zero configuration for those. It's just not the System Watchdog package; those system messages are noisy like hell as well when something goes wrong.



  • Can any admin perhaps help me fix this? I donated via paypal when that still was here, I bought gold, I know that doesn't entitle me formally to any support, but I'm clueless to why this happens. You've built it, you probably know.

    Example: I go to mobilefun.nl -> site asks me if I'd rather go to mobilefun.se, obviously because it thinks I'm coming in from Sweden.

    Thank you.



  • @doktornotor:

    Afraid I don't have Squid or anything related installed, so cannot advise

    Thanks Dok. Squid was just another example of with any new upgrade comes new problems, I don't think Squid is related to this problem (I turned Squid of and the problem remains).



  • I must have done something wrong that no admin helps.



  • I'm sorry to say, but this is still buggy crap ( >:( >:( >:( ).

    Pics:

    • Smartphone is on VLAN40.
    • There is NO RULE telling VLAN40 to go via VPN.
    • Still this bullshit goes via Mullvad VPN.
    • There is NO RULE on LAN either telling it to send traffic through the VPN; still, LAN goes through VPN too.H-E-L-P  P-L-E-A-S-E  ADMINS.










  • More BULLSHIT >:( >:( >:( >:( >:( :

    With ALL VPN off, all FW rules that direct traffic into the VPN off, this is what DNS leaktest/ipleak say. Pic:








  • "Rock solid", "stable", "the best".

    Not.

    So in order to prove more that this is a mess I setup two rules and enabled logging. One to go to www.freenas.org, and the other to go to www.pfsense.org.

    Now the stupid thing doesn't log anything at all when I go to these sites.






  • I should have spent my paypal donations and gold subscription on beer for myself.




  • Banned

    @Mr.:

    So in order to prove more that this is a mess I setup two rules and enabled logging. One to go to www.freenas.org, and the other to go to www.pfsense.org.

    Now the stupid thing doesn't log anything at all when I go to these sites.

    And what exactly should it log? You log traffic from LAN net to www.freenas.org and www.pfsense.org. Now, the traffic goes through the Squid %^&#@% – and from there goes somewhere. So, there's no traffic from LAN Net to www.freenas.org or www.pfsense.org.

    3 most common sources of pfSense troubles



  • @doktornotor:

    Now, the traffic goes through the Squid %^&#@% – and from there goes somewhere. So, there's no traffic from LAN Net to www.freenas.org or www.pfsense.org.

    3 most common sources of pfSense troubles

    Very sharp - but wrong  ;D

    @Mr.:

    (I turned Squid of and the problem remains).



  • On second thought: suppose Squid would have still been there, in transparent mode, shouldn't it then be still logged?

    Or is the case this: firewall doesn't bother with anything at all if Squid is installed?

    Because if that is true then that is a "less optimal design and implementation" "a feature". But if it is not true and if the firewall still monitors that traffic via Squid too, then it can log it too.

    ???