The pfSense Store

Author Topic: Sending DNS Resolver traffic through OpenVPN Client (NAT problem)  (Read 1159 times)

0 Members and 1 Guest are viewing this topic.

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9100
  • Karma: +1037/-307
    • View Profile
Re: Sending DNS Resolver traffic through OpenVPN Client (NAT problem)
« Reply #15 on: November 10, 2017, 02:48:56 am »
The bottom line here is that there are things that are pretty difficult for services running on the firewall itself.

If you want this to work 100% with pfSense in its current state, set up an inside DNS resolver that can only go out over OpenVPN (Using policy routing) and block it if it tries to go out WAN (Using mark/match and NO_WAN_EGRESS). Tell your VPN clients to use that to resolve names and not the resolver running on pfSense.

That will immediately solve your current concerns.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline DerekChap

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
Re: Sending DNS Resolver traffic through OpenVPN Client (NAT problem)
« Reply #16 on: November 10, 2017, 02:53:07 am »
Cheers for the info.  I hope though that the timing issue is looked at sometime, because regardless of the use it seems like the code could do with the tiniest bit of tweaking here.  Thanks

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9100
  • Karma: +1037/-307
    • View Profile
Re: Sending DNS Resolver traffic through OpenVPN Client (NAT problem)
« Reply #17 on: November 10, 2017, 02:55:04 am »
Guaranteed if something like that was done it would break someone else.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline bannerman

  • Newbie
  • *
  • Posts: 9
  • Karma: +0/-0
    • View Profile
Re: Sending DNS Resolver traffic through OpenVPN Client (NAT problem)
« Reply #18 on: November 10, 2017, 08:02:09 am »
Guaranteed if something like that was done it would break someone else.

It would be really cool if the floating rule configuration could include a NAT configuration option too.  This would allow floating rules to be used to redirect traffic originating from the firewall through non-default outgoing interfaces and have the traffic NAT'd appropriately for that interface.

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9100
  • Karma: +1037/-307
    • View Profile
Re: Sending DNS Resolver traffic through OpenVPN Client (NAT problem)
« Reply #19 on: November 10, 2017, 02:40:06 pm »
It does that now.

Outbound NAT does nothing to route traffic. It merely determines what NAT occurs when traffic flows out that interface.

If the route changes, so does the NAT.

You cannot policy route traffic originating on the firewall. Period. It happens when traffic enters an interface. Traffic originating on the firewall never does that. DNS traffic from your inside DNS resolver does, thus it can be policy routed.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline peppersass

  • Jr. Member
  • **
  • Posts: 36
  • Karma: +0/-0
    • View Profile
Re: Sending DNS Resolver traffic through OpenVPN Client (NAT problem)
« Reply #20 on: November 23, 2017, 03:37:55 am »
You cannot policy route traffic originating on the firewall. Period. It happens when traffic enters an interface. Traffic originating on the firewall never does that.

OPNsense can do it. I have my VPN clients on a VLAN and my non-VPN clients on the LAN. I added a rule to the VLAN that routes any TCP/UDP traffic with destination This Firewall and ports DNS-DNS to the VPN gateway, and a rule to the LAN that routes any TCP/UDP traffic with destination This Firewall and ports DNS-DNS to the WAN gateway. Works great. No DNS leaks for VPN clients and the non-VPN clients get faster DNS lookups.

Tried it in pfSense and it doesn't work. Sure would be nice if it did.

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9100
  • Karma: +1037/-307
    • View Profile
Re: Sending DNS Resolver traffic through OpenVPN Client (NAT problem)
« Reply #21 on: November 23, 2017, 03:44:38 am »
No idea what OPNsense does for DNS. But it sounds like you have that and pfSense configured completely differently.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM