Netgate SG-1000 microFirewall

Author Topic: Is it just easier...  (Read 221 times)

0 Members and 1 Guest are viewing this topic.

Offline mtarbox

  • Jr. Member
  • **
  • Posts: 67
  • Karma: +2/-0
    • View Profile
Is it just easier...
« on: January 29, 2018, 11:31:46 am »
So somehow or some way I have a DNS leak using PIA's DNS servers.
I've attempted to follow the various "how to's" presented both here and from PIA, but the leak remains.
Would it be easier to uninstall the entire openvpn program, flush all of the associated settings, and start from scratch? Or some of that?
Ideas?
« Last Edit: January 29, 2018, 11:39:30 am by mtarbox »

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 10260
  • Karma: +1176/-313
    • View Profile
Re: Is it just easier...
« Reply #1 on: January 29, 2018, 11:46:45 am »
Probably not. A broken config will probably still be broken.

What is the flow of your DNS starting with the DNS servers the clients are being told to use?
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline mtarbox

  • Jr. Member
  • **
  • Posts: 67
  • Karma: +2/-0
    • View Profile
Re: Is it just easier...
« Reply #2 on: January 29, 2018, 11:52:06 am »
209.222.18.222
Modem, 216.227.XXX.XXX
PFSense
PC

I hope that is what you wanted.

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 10260
  • Karma: +1176/-313
    • View Profile
Re: Is it just easier...
« Reply #3 on: January 29, 2018, 12:01:25 pm »
Might help if you actually explain your setup instead of being so terse requiring assumptions be made.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline mtarbox

  • Jr. Member
  • **
  • Posts: 67
  • Karma: +2/-0
    • View Profile
Re: Is it just easier...
« Reply #4 on: January 29, 2018, 12:08:51 pm »
PC to a Linksys router in bridge mode, cheap DIY box running 2.4.2-RELEASE-p1 (amd64) with 4gb of ram, DHCP server, pfblockerg and squid, to DSL modem.
When I check the DNS settings, it comes up as a PIA address, but when I test using dnsleaktest.com it shows my actual address, not the PIA one.

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 15744
  • Karma: +1470/-210
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Is it just easier...
« Reply #5 on: January 29, 2018, 12:14:14 pm »
"and squid"

And you setup squid to use whatever dns you want? This 209.222.18.222 IP?  You do understand using a proxy, the client asks the proxy to go to www.domain.tld for it... So the proxy looks that fqdn up.. not the client.
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.3-RELEASE (work)
1x SG-3100 2.4.3-RELEASE (work)
1x SG-4860 2.4.3-RELEASE (home)

Offline mtarbox

  • Jr. Member
  • **
  • Posts: 67
  • Karma: +2/-0
    • View Profile
Re: Is it just easier...
« Reply #6 on: January 29, 2018, 12:19:26 pm »
Wouldn't squid use whatever DNS servers I specify?

Initially when I set this box up, I wasn't using any VPN. Then I think you helped me out with using openvpn to the actual box, which worked great until I decided I wanted to anonymize my traffic.

Offline mtarbox

  • Jr. Member
  • **
  • Posts: 67
  • Karma: +2/-0
    • View Profile
Re: Is it just easier...
« Reply #7 on: January 29, 2018, 12:30:06 pm »
I'm thinking my idiot ass needs to read the freaking manual. Again.
I do own Mastering PFSense by David Zientara and pfsense 2 cookbook by Matt Williamson.

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 15744
  • Karma: +1470/-210
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Is it just easier...
« Reply #8 on: January 29, 2018, 12:31:11 pm »
squid will use the system dns... So normally that would be the resolver (unbound) resolving so yes it would list your IP in some sort of dnsleak test because your resolving.  If you want the resolver to go down your vpn to resolver, then set it outbound interface to be your vpn interface..
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.3-RELEASE (work)
1x SG-3100 2.4.3-RELEASE (work)
1x SG-4860 2.4.3-RELEASE (home)

Offline mtarbox

  • Jr. Member
  • **
  • Posts: 67
  • Karma: +2/-0
    • View Profile
Re: Is it just easier...
« Reply #9 on: January 29, 2018, 07:33:29 pm »
Amazing what a little "light" reading can do for you, that and stepping away from it all when your eyes feel like they have sand in them.
Opted to restore my pfsense install from a period before I started trying to hide my traffic.
Worked great. Then I followed a more recent DIY to install openvpn and PIA, and what do you know, it freaking worked. I even went to a bunch of dns leak test sites, and voila, NO MORE DNS LEAKS!
My traffic is protected from prying eyes, and my children can't see things that they won't forget by using pfblockerng

However, this leaves me without the ability to remote into my pfsense box from work. Another project for another day!