Jump to content
Not connected, Your IP: 34.228.40.212
eddi1984

pfsense 2.3.3 - DNS to 10.4.0.1 not working

Recommended Posts

Hi,

 

upgraded to pfsense 2.3.3, and since the update, it will not accept 10.4.0.1 as DNS address (when assigning it directly to the VPN Gateway).

 

Error that is shown is "A gateway can not be assigned to DNS '10.0.0.1' server which is on a directly connected network".

Not sure why that option was removed.

 

Anybody know a workaround ...

 

PS: Setting up any other open DNS server, like google, works ...

 

Thanks.

Share this post


Link to post

Are you using DNS Resolver or DNS Forwarder? If using DNS Resolver, you don't have to put any DNS servers on the System / General Setup page.

 

It is important to configure the Outgoing Network Interfaces setting in the DNS Resolver service (Services / DNS Resolver / General Settings) to only use your VPN WAN interface(s), not the WAN interface.

 

I'm using pfSense 2.3.3 with no DNS servers defined in General Settings and the Outgoing Network Interfaces set to only use my VPN interface.  It works fine with no DNS leaks.  ipleak.com returns only AirVPN DNS servers.

Share this post


Link to post

I read a little about this on the pfsense forums.  the point is that you don't need to assign a gateway because the VPN server is already "directly connected" (via VPN).  the only way it can be reached is via the VPN so no need to assign a gateway.

Share this post


Link to post

If I put nothing in the DNS Address field then nothing is resolved. I can put 10.4.0.1 in there with none in the Gateway field and it works, but ipleak doesn't load.

Share this post


Link to post

If I put nothing in the DNS Address field then nothing is resolved. I can put 10.4.0.1 in there with none in the Gateway field and it works, but ipleak doesn't load.

 

do other sites load?

Share this post


Link to post

 

If I put nothing in the DNS Address field then nothing is resolved. I can put 10.4.0.1 in there with none in the Gateway field and it works, but ipleak doesn't load.

 

do other sites load?

 

yes

Share this post


Link to post

If I put nothing in the DNS Address field then nothing is resolved. I can put 10.4.0.1 in there with none in the Gateway field and it works, but ipleak doesn't load.

I was having this same issue. Though I've been having trouble with pfsense and ipleak.net not resolving for some time before pfsense was recently updated. I think I may have have resolved the issue. or at least found a work-around.

 

I disabled, 'Experimental Bit 0x20 Support', in Services / DNS Resolver / Advanced Settings, and ipleak.net has been resolving correctly ever since. I've made no other changes. I am using 10.4.0.1, with the gateway set to 'none'.

Share this post


Link to post

 

If I put nothing in the DNS Address field then nothing is resolved. I can put 10.4.0.1 in there with none in the Gateway field and it works, but ipleak doesn't load.

I was having this same issue. Though I've been having trouble with pfsense and ipleak.net not resolving for some time before pfsense was recently updated. I think I may have have resolved the issue. or at least found a work-around.

 

I disabled, 'Experimental Bit 0x20 Support', in Services / DNS Resolver / Advanced Settings, and ipleak.net has been resolving correctly ever since. I've made no other changes. I am using 10.4.0.1, with the gateway set to 'none'.

 

That worked! How did you even figure that out? lol thank you.

Share this post


Link to post

Are you using DNS Resolver or DNS Forwarder? If using DNS Resolver, you don't have to put any DNS servers on the System / General Setup page.

 

It is important to configure the Outgoing Network Interfaces setting in the DNS Resolver service (Services / DNS Resolver / General Settings) to only use your VPN WAN interface(s), not the WAN interface.

 

I'm using pfSense 2.3.3 with no DNS servers defined in General Settings and the Outgoing Network Interfaces set to only use my VPN interface.  It works fine with no DNS leaks.  ipleak.com returns only AirVPN DNS servers.

The normal behavior of unbound (resolver) is to query the root servers directly. To avoid DNS leaks it is, like you pointed out, very important to only allow VPN interfaces (and localhost) as outgoing interfaces. But also you not neccessarily have a DNS leak if you allow queries from WAN interface. Of course AirDNS can only be reached through the VPN.

I wonder what makes you so sure that you really using Air's DNS while you not enter it's address anywhere? To achieve this you have to enable the forwarding mode in the resolver settings and then in general setup tab set the DNS server(s) as you desire. For AirDNS leave gateway set to "none".I have added a second free public DNS that is using WAN for queries. This serves as a failover if Air's DNS cannot be reached. There is a certain IP-Range of clients that also connect to the WAN directly and not using VPN to connecto to internet. This setup does not give me a DNS leak (WAN IP).

Share this post


Link to post

 

this is something that needs to be asked on pfsense forums. 

Background

 

https://forum.pfsense.org/index.php?topic=126063.0

 

Not much constructive help there.  Did you ever figure out the "gateway cannot be assigned" thing?  I can't figure anything out from that thread.  I don't have the experimental bit set and still get that error.  I'm scratching my head over the "When using multiple WAN connections there should be at least one unique DNS server per gateway" phrase in pfSense / General Setup / DNS Server Settings when it doesn't seem to let me assign them.  Even with LazyLizard14's suggestion, above, I can't figure out where my two VPN tunnels are supposed to get their DNS Server address if I don't give it to them anywhere.

 

Could it be the next option down:

 

 

DNS Server Override

Allow DNS server list to be overridden by DHCP/PPP on WANIf this option is set, pfSense will use DNS servers assigned by a DHCP/PPP server on WAN for its own purposes (including the DNS Forwarder/DNS Resolver). However, they will not be assigned to DHCP clients.

 

Which I currently have unchecked?

 

EDIT:  I guess I should be a bit more specific since my setup differs slightly from the OP's.  I have ONLY the two AirVPN DNS servers 10.4.0.1 and 10.6.0.1 in the General settings page and am trying to assign one to each of my two VPN_WAN interfaces.  I'm assuming the issue is that 10.x.x.x is considered a private address space so pfSense doesn't want to use it as a WAN address.  But, I still don't see how any traffic going through my VPN interfaces knows which DNS server to use if I don't assign it to the interface.  Does Resolver just ask the VPN server itself for the DNS address since, to us (and it), that server is considered local?

Share this post


Link to post

Old post I know, but ran into this today, and got it to work but doing the following:

 

1. Add 8.8.8.8 as DNS on the general page, removing and airvpn dns servers.

2. disable and reenable any VPN interfaces

3. add airvpn dns servers to the correct interfaces under general and remove 8.8.8.8, then click save

4. Reboot

 

As far as I can tell, pfsense won't allow you to add a rfc address if the interface lists an rfc compliant ip address in its name - stopping and starting the interfaces changes this temporarily to be say VPN_WAN - optx - dynamic rather than VPN_WAN - optx - 10.x.x.x.

 

If you don't want to reboot, restarting the vpn clients from the openvpn>client page, then dropping and raising interfaces also worked for me!

 

Hope that helps

Share this post


Link to post

Old post I know, but ran into this today, and got it to work but doing the following:

 

1. Add 8.8.8.8 as DNS on the general page, removing and airvpn dns servers.

2. disable and reenable any VPN interfaces

3. add airvpn dns servers to the correct interfaces under general and remove 8.8.8.8, then click save

4. Reboot

 

As far as I can tell, pfsense won't allow you to add a rfc address if the interface lists an rfc compliant ip address in its name - stopping and starting the interfaces changes this temporarily to be say VPN_WAN - optx - dynamic rather than VPN_WAN - optx - 10.x.x.x.

 

If you don't want to reboot, restarting the vpn clients from the openvpn>client page, then dropping and raising interfaces also worked for me!

 

Hope that helps

I’m looking for some assistance if possible

I have pfsense 2.4 and two LAN cards, one for VPN traffic and another for regular WAN non-VPN traffic

I want to use the open DNS on both networks. However if I enter the Open dNS in DHCP server then I cannot connect to any sites. Only the Aircpn DNS IP seems to work. I have DNS forwarder enabled because if I diss or it and enable DNS resolver I again have no internet connectivity (of course connectivity I mean not able to reach websites)

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...