LazyLizard14 11 Posted ... I am using AirVPN's DNS for a while already on my pfsense router but I find that some websites do not get resolved, for example ipleak.net.Can anybody confirm this? Quote Share this post Link to post
Lee47 23 Posted ... I am using AirVPN's DNS for a while already on my pfsense router but I find that some websites do not get resolved, for example ipleak.net.Can anybody confirm this? Perhaps best to post in the main pfsense thread: https://airvpn.org/topic/17444-how-to-set-up-pfsense-23-for-airvpn/page-5 by chance did you followed the new 2.3 guide by pfsense_fan ? Quote Share this post Link to post
LazyLizard14 11 Posted ... Yes I did the basic setup according to the instructions there. But if I simply exchange Air's DNS with a free one like 8.8.8.8 it works flawless - without any other changes to pfsense!So I am really not sure if it is related to pfsense... Quote Share this post Link to post
diver3923 4 Posted ... I've also seen this behavior. In the past, ipleak.net worked normally for me, but it recently started resolving very, very slowly. Tracert showed many timeouts. It always loaded eventually, but took a long time. Today ipleak.net is loading normally for me, so hopefully the issue has been resolved. The other website that I have problems with is www.airvpn.org. I've been able to work around it by using the alternate www.airvpn.info. Quote Share this post Link to post
Lee47 23 Posted ... Yes what the problems you both described is exactly what I get with the new pfsense 2.3 guide, web page loading erratic, ipleak is the biggest culprit.Other air servers appear to be better or more reliable but it appears it catches up and can become unstable. I have tried different dns(even googles 8.8.8.8 one and not airdns, different servers and even unchecked the 4 dnssec options at the bottom of the dns resolver section on the new guide(which is meant to stop dns sec) and fix website issues, but not really any joy, its a bit better but still unstable after a few hours or 2 days. You can also try this tweek https://192.168.1.1/system_advanced_sysctl.php create four new tunables: dev.igb.0.eee_disableddev.igb.1.eee_disableddev.igb.2.eee_disableddev.igb.3.eee_disabled Change the value on each to 1 Let me know if this helps your ability to access air site, ipleak site or improve other sites not loading fully ? Have you both also tried to redo the guide going tick by tick again ? I have done it at least 12 times..... with exact similar instability website results, ipleak being a main culprit, even with dnssec off and iptables tweak. Will keep trying and playing around with stuff when I get a chance. Quote Share this post Link to post
pfSense_fan 181 Posted ... The "EEE" or Energy Efficient Ethernet tweak has nothing to do with DNS. It can cause issues with DHCP though. I too have had intermittent access to ipleak.net. I have chalked it down to using DNSSEC in combination with Air's DNS servers. Turning DNSSEC completely off and letting the system DNS cache enough time to clear fixes it, as does using another DNS Server. 1 Lee47 reacted to this Quote Hide pfSense_fan's signature Hide all signatures Have my guides helped you? Help me keep helping you, use my referral: How to set up pfSense 2.3 for AirVPNFriends don't let friends use consumer networking equipment! Share this post Link to post
LazyLizard14 11 Posted ... Yesterday I disabled DNSSEC support now for testing. Quote Share this post Link to post
Lee47 23 Posted ... How did you disable DNS sec ? I have mine disabled via DNS resolver section here: DNSSEC = [ ] (CHECKED) I just unticked mine, saved and rebooted also flushed my dns but ipleak does not load correctly all the time and getting that 2nd dns to show never really does. Even google DNS 8.8.8.8 under general setup makes no difference to myself or ipeak site, also tried several air servers with similar results. So its am curious as to how people got ipleak working fine with just a simple dns change, or disabling dnssec since I think that is the key to getting better stability with the new 2.3, or at least I think. I have been told there are more DNS SEC options to switch off so will update if I get more info. Quote Share this post Link to post
LazyLizard14 11 Posted ... Yes that is where it can be disabled. So did I. But I checked now and still DNS problems.Next I will try different Servers to check if that might be related to it. PS: The DNS problems occured also in earlier versions of pfsense. I even opened a support ticket more than a year ago but the issue still remain. Quote Share this post Link to post
go558a83nk 364 Posted ... yesterday I twice saw a temporary glitch with DNS while connected to Auva. For a few minutes DNS lookup just didn't work. Then, suddenly it worked. I don't know about the problems in this thread but I don't think mine has anything to do with my setup. Also of concern is that I noticed it twice all day but it could have happened more times and I didn't happen to notice. pfsense 2.3.1 and using DNSSEC as setup from the guide. Quote Share this post Link to post
Lee47 23 Posted ... The symptoms you are described pretty much sounds similar to mine, I too can get erratic performance across the board with websites not loading. But ipleak is the one that gives the most trouble, sometimes will load or not, but I believe disabling that one DNSsec option is not the only option there maybe more options to disable will hopefully find out soon. Trying other servers has been hit and miss for me some servers had ipleak working and others not so much but from what I can tell once dns sec is fully switched off properly it should hopefully fully work. I never had these type of dns errors on the previous guide though that was very rock solid but this was with 2.2.2 build and the original 2.1 guide. Quote Share this post Link to post
Lee47 23 Posted ... Been tinkering it a bit more and unchecked "Experimental Bit 0x20 Support" under DNS resolver here:https://192.168.1.1/services_unbound_advanced.php I now have ipleak loading successfully with detected dns working fine, also dnsleak site works fine with both standard and extended test working ok. All websites appear to load nice and fast especially ipleak, but I will see if its stable and reliable that I have to test over the next day or 2. This is with ; DNS set to 10.4.0.1-under general settingsDNSSEC -unchecked under resolver settingsExperimental bit 0x20- unchecked under resolver settings Doubt its a fix for you guys but not sure maybe give it a try and disable Experimental Bit 0x20 Support ? Quote Share this post Link to post
diver3923 4 Posted ... I disabled DNSSEC on the DNS Resolver and it fixed the problem getting airvpn.org to resolve. Unfortunately, it still has problems with ipleak.net. Sometimes it works, sometimes it doesn't. I'm using two VPN_WAN connections in a multi-wan configuration (right now connected to Metallah and Dschubba). I wonder if the variable success I see is related to which server it happens to connect through each time? I'll watch that and see if I can identify a trend of it working with one server, but not the other. I have the following settings:DNS set to 10.4.0.1 and 10.6.0.1 under general settings (I'm using two VPN_WAN connections in a multi-wan configuration).DNSSEC - unchecked under resolver settingsDNS Query Forwarding - unchecked under resolver settingsHarden DNSSEC data - unchecked under advanced settingsExperimental bit 0x20 - unchecked (I've never had this one checked) Quote Share this post Link to post
Lee47 23 Posted ... IPleak was acting sluggish and slow to load in the late evening for me, but its nice and fast again this morning so I seem to be on the same page as most. Diver: DNS Query Forwarding - unchecked under resolver settings, have you tried to leave this switched on ? I think its important and maybe not related to dnssec, try ticking it, save and reboot pfsense. Also flush your DNS and retry ipleak site ? Not sure about the 2 VPN wan connections but given your issues are sounding similar to a few of us you may not be doing anything wrong, you could save your config, and redo it tick for tick with the new 2.3 guide and retry with a single vpn wan just to make sure. Quote Share this post Link to post
diver3923 4 Posted ... I had the same behavior with ipleak.net. Slow to load last night, but acting normally this morning. I'm just about convinced this isn't related to a pfSense, but is actually caused by something external to us. I saw the same slow/sluggish loading on both VPN servers I'm connected to so I don't think it is server specific. I've gone back and forth several times with the DNS Query Forwarding setting and honestly can't tell a difference either way. I'll likely go back to having it unchecked. Quote Share this post Link to post
Lee47 23 Posted ... Seems most of us are getting similar issues, so far with using 10.4.0.1, dnssec 'off' and Experimental bit 0x20 'off' so far so good, ipleak can get sluggish but for the most part its fine and displays the detected dns, grc and dnsleak pass all test with no leaks, and more importantly after 2 days websites are working more stable and reliable then before. Port forwarding is however not working even using the old 2.1 guide does not work, but one problem at a time. For me it was that Experimental bit 0x20 bit, anyhow I am told there are other settings that are required to switch off DNSSEC fully and that is the main culprit for the website loading issues like ipleak and others, we just have to have patience since the new 2.3 guide is very new. Quote Share this post Link to post
LazyLizard14 11 Posted ... Well after some more days of testing and with the various options mentioned here in this thread disabled, it still not works reliable.What most people here seeing as a temoirary success caused by the fact that unbound was restarted. Then things work for a while but later DNS problems show up again. As I said before: no problems with other DNS servers running for weeks without any error. Quote Share this post Link to post
Wolf666 17 Posted ... I have a working pfSense 2.3.1 unit. I have 3 subnets, 2 clear, 1 AirVPN. I excluded unbound from listening queries from VPN clients. I simply put on DHCP (interface using AirVPN) settings AirVPN DNS (10.4.0.1) and set firewall rules accordingly.This means that each VPN client will ask 10.4.0.1 to resolve, query goes through VPN, it is crypted and I trust on AirVPN....The other clients surfing clearnet will use unbound with all the security measures, like DNSSEC etc etc. Sent from my iPad using Tapatalk Quote Hide Wolf666's signature Hide all signatures - Router/Firewall pfSense 23.01 (11th Gen Intel(R) Core(TM) i5-11320H @ 3.20GHz) - Switch Cisco SG350-10 - AP Netgear RAX200 (Stock FW) - NAS Synology DS1621+ (5 x 5TB WD Red) - ISP: Fiber 1000/300 (PPPoE) Share this post Link to post
LazyLizard14 11 Posted ... If the LAN clients only have 10.4.0.1 as DNS server set then they are unable to resolve local hostname - not a good practice.Even when DNSSEC and Experimental bit 0x20 are disabled I not get pfsense to work properly with Air's DNS in a reliable way.Some websites like ipleak not get resolved at all, others resolved very slow or need you to hammer the reload button in your browser. Majority works tho.But if I simply replace the IP of the DNS with a different one everythign works flawless.Maybe I will switch back https://dns.watch/index Quote Share this post Link to post
Lee47 23 Posted ... pfsense_fan did mention using another dns server can fix some of the issues us guys were getting. I have been fine with 10.4.0.1 as my only dns as per the 2.3 new guide, I actually found out I can now leave enabled DNSSEC support under resolver and hardened dnssec data option advanced both ticked and switched ok after 2 days use, it was Experimental bit 0x20 that was causing me to get web sites not resolving and loading correctly and also ipleak and dnsleak test from not working correctly. Can others perhaps try switching off just Experimental bit 0x20 under here: https://192.168.1.1/services_unbound_advanced.php Its at the bottom and leave dnssec under here: https://192.168.1.1/services_unbound.php ticked to on and retry ipleak, dnsleak standard test, let me know if it works or not ? Quote Share this post Link to post
Lee47 23 Posted ... Ok well after 2 days of enabling dnssec, 2 sites just stopped loading for me, disabeled both dnssec options and it works fine. Think ill just stick with both dnssec options switched off and experimental code also off at least its working stable and fast then with no ip or dns leaks Quote Share this post Link to post
Blade Runner 4 Posted ... Is this a pfSense or FreeBSD issue with new motherboards? I had similar experience with Supermicro A1SRi-2758F. DNS timeouts continued until using a X8SIA-F motherboard. Quote Hide Blade Runner's signature Hide all signatures Do not be afraid to fail. Share this post Link to post