Jump to content
Not connected, Your IP: 18.224.31.82

pfSense_fan

Members2
  • Content Count

    247
  • Joined

    ...
  • Last visited

    ...
  • Days Won

    21

Everything posted by pfSense_fan

  1. Yes, I built my pfSense firewall / router using PC equipment. I can get 100 Mbit+. I am limited by my internet connection, not my router. There is a tutorial on this site, however I found it to be missing some info and confusing. I have been writing my own that I hope to release in late April. I'm very busy unfortunately. Although you can use pretty much any pc equipment, I recommend server class equipment if your main use is VPN and you can afford it. Some server motherboards have 4 high end Intel NIC's built onto the board (saves a lot of money this way, many network cards are not compatible, server class intell work the best, pci-e cards are quite expensive) as well as have encryption instructions in the processors, mainly Ivy Bridge and the new Haswell Xeon. You can build one this way for $500-$600 depending if you have a spare hard drive, power supply and case around. If you do have those, all you need is the motherboard, processor and memory. I used an old laptop drive and a power supply and case from a pc that I no longer used. http://www.pfsense.org/
  2. Thank you for checking that setting. I am researching it and couldn't remember the default. You can use any DNS you want that is not the airvpn ones.
  3. That is great news! I'm glad it is working now. Perhaps go back to the post with my tutorial and mark it as solved then. I'd also hope the staff can move this thread to the troubleshooting forum. I look forward to your trying the tutorial. You convinced me to come up with a more basic setup with AirVPN default gateway for the masses. I have one question though, as i have not reinstalled pfSense in quite some time, can you look at a setting and report to me what the default setting was? If you go to System > Advanced > Firewall and NAT, at the bottom there is a setting for "NAT Reflection mode for port forwards ". What do you have set?
  4. Oh well. At this point I don't know, that is exactly how i have been running mine. That being said, I have been thinking long and hard during our adventure here, and all the while I have been writing my tutorial. I came up with a slightly different method that gets rid of the DNS Forwarder all together. It also uses AirVPN as the Default gateway. The only thing I don't cover is the initial installation, as there are many tutorials for that on the web. Other then that I tried to be as thorough as possible. I should be done with the tutorial this week. In fact, I almost finished last night but had domestic issues to tend to. Hang in there and when it's up I hope you'll give that a try. Hopefully our trials here will help the community. I do have an idea for your current issue though, the one I had earlier in the week. If you go to the windows "Network and Sharing Center" (Right click on your network adapter on the system tray) you will see an icon under where it says "View your active Networks". Click the ICON (not the link). A new window pops up (Pro tip: you can also go back and name the connections here so that in your tray you know if you are connected to AirVPN or Clear-Net) and there is a link for "Merge or delete network locations". My guess is you will have multiple networks listed there. DELETE THEM ALL. This will ensure any bad setting that were buried deep on your "LAN" network are deleted and start fresh.You will receive your settings from dhcp. It seems windows is blocking you, hopefully this solves it. If not, just hold on a few more days for my tutorial. EDIT: Just another thought... are you rebooting after changing these settings? I guess I forget to mention because I assume it's standard knowledge... but when you change settings that affect a route you must reboot. You should reboot when you make changes just in case, even if not "required". I remembered that after I make some of these changes I too get blocked... until I reboot. Just a thought.
  5. Ah ha! We find a discrepancy! I looked at it and noticed a few incorrect entries in the Firewall rules section on both the LAN and AirVPN_LAN interface. I have edited and corrected them. You should delete your entries and re-enter them. I am somewhat at a loss here. I do not think correcting those firewall entries will help this part of it. Is the DNS Forwarder actually enabled under https://192.168.1.1/services_dnsmasq.php ? It seems it is... your entries stating 192.168.1.1 are correct if it is enabled. It's odd that when you do a DNS leak test it finds no DNS at all. Are there any DNS entries entered under https://192.168.1.1/system.php ? Are they set for WAN_DHCP as they should be? If that is not correct set and save those settings. If that doesn't work I have another idea. Not at this time. Good, as it should be. I rarely use my LAN either... but it's there if we need it without out us having to reconfigure our entire setup. That's why I leave it. Eventually there will be times you will need it.
  6. I use password managers to allow me to use ultra strong passwords as well as allow me to change them as frequently as needed and/or wanted. My question is this: 1.) What is the maximum number of characters allowed in a password when registering or changing a password here at AirVPN? What is the maximum amount of characters allowed in usernames? 2.) What types of characters are allowed in passwords? What types are allowed in usernames? My suggestion is this: List this information next to the respective forms during registration and password/username change menus. I believe this would be useful for many, especially those who use password managers.
  7. Excellent! What is the status of the LAN interface? Still not functioning?
  8. Excellent. The triangle is likely there due to power saving settings on your computer putting it to sleep. Yes, click that. Firewall rules will block it otherwise, but still check that box. None the less we should work it out so nothing is configured incorrectly. I have some ides but I work long hours today and tomorrow. Sunday or Monday I will list them.
  9. First things first, pfSense does not use iptables. Iptables is a feature for the Linux Kernal. pfSense uses "pf" hence it's name... making sense of pf. pfsense and pf are based off BSD and have nothing to do with Linux. https://en.wikipedia.org/wiki/Iptables https://en.wikipedia.org/wiki/PF_%28firewall%29 I have no experience with virtual machines and won't be much help in regards to trouble shooting, however I can tell you that when having more than one gateway active, my floating firewall rules are wonky at best. I stopped using them for rules on each intended interface.
  10. The answer to this is somewhat layered. Strictly technically speaking, if everything is set correctly you should be fine. That being said, however, if something is not set correctly or was to accidentally get changed it would be quite possible. If somehow the DNS Forwarder were to be activated, you would be sending DNS requests simultaneously from both the WAN and AirVPN_WAN. This could easily be correlated. Why I discourage it is because it is an expected redundancy, along with the firewall rules I had you make (which you are either not using or did not set correctly as those would block openic dns). Something is certainly not set correctly, so we cannot say for certain you are anonymous. This is why I keep stressing the importance of uncovering why the AirVPN dns are being blocked. I still think this is the best idea. It will at the very least work like it does now, but ideally it should just work. Have I mentioned that we need to figure out what is blocking AirVPN dns?
  11. Again, it's a step in the right direction, but if you cannot use the Air DNS, it is not quite working. You need to solve that. It leads me to believe something, your windows firewall, pfSense itself.... something is blocking the Air DNS. I would encourage you to change back to them and continue to troubleshoot until we find the actual issue. First thing we need is a snapshot of your windows NIC setting during a down time. Then also take a look at your pfsense logs and see if the firewall is blocking 10.4.0.1:53 etc.. Also, it is not safe to change all of the DNS setting to the same one, I explained the way to do it for a reason!, You are possibly sending dns requests from both the clear-net AND the VPN at the same time if you set the DNS forwarder AND the DHCP to server the same dns. DO NOT DO THAT! You can give your real identity away doing this. Unfortunately you must not understand how the dns forwarder works. I wish I had time to explain. I cannot stress enough that you need to get the Air dns working. They do work... that's all i've ever used for my AirVPN connection.
  12. If you start from scratch, the WAN will already be your default gateway and stays that way as long as you do NOT set the AirVPN_WAN as default when you enable it. If you install your certs, set up your openvpn client, enable the ovpn1 interface, add the new gateway... you can follow my guide from there. I know this because I have used those cards before and had ports dropping out, After researching it, I found there was an issue with the PCIe compatibility, Some of the older cards need PCIe 1.0 compatibility, Search through your bios and see if there is an option for this. My bios does have the option and I have them set to 2.0 No offense was meant. I just far too often see people end up spending as much as they would for a server board with four built in NICs and built in vga, 4-8 gigs of ecc memory and a XEON E3 1220 v3.. because in their efforts to save they find out the cheap stuff is not compaible. A build as I suggest can be had for $500-$700 depending on choices in hard drive, power supply and case, or if one has parts like that laying around from old builds already. While good in a way, we should not have to delete the AirVPN DNS. This seems to be our core problem, and we need to solve why those are being blocked. Perhaps your firewall on your pc is blocking them? Did you take a snapshot of your network setting when it was down? Sometimes if I have rebooted pfSense, yes there is a yellow triangle. As soon as i do anything that uses internet it just goes away. One other option we have is to set a static IP for your computer within pfSense. One way or another we need to continue to sort this out! It's looking positive... I want to figure out why the AirVPN DNS don't work though. They should. Absolutely. Hopefully our work here will help others too.
  13. Did you reboot the system after my guide? You should always reboot after major changes... Also, those older Intel 4 port cards have issues if installed into a PCIe 3.0 slot. Not sure what your motherboard has, but if they are 3.0 you may want to check the bios and set it back to 2.0 compatability. If that does not work, are you opposed to starting from a fresh install? It may be the best option at this point. If you can input your certificates,Besides the certs, this is how I set mine up. I have had sixteen NICs running successfully at one point, no leaks, internet cuts out on VPN facing NIC's if the VPN fails. I do plan to make an entire guide... what I wrote here will be nearly exactly what I write so none of this is a waste. I have been writing a guide that more clearly shows how to enter certificates, but although Knicker's guide is hard to follow, it is correct there .It is however time consuming, and i do not get much free time latel so I do not know when I will complete a full guide. Just a thought...How many rules do you have for Outbound Nat? There should be one for each NIC and no more. If there are other rules, delete them. Edit: I will not however make a guide for only two interfaces, regardless of the interest in it. I do not consider it safe and/or a proper use of pfSense: there is too much room for error. One can acquire a third enterprise class NIC for $15-$20 or a dual NIC card for $25-$35. Brand new (old stock) four port adapters can be found for $50-$75. I can even skip buying extra NIC's in the first place with proper system planning and buy a Server motherboard that has 4 NIC's built in as well as integrated vga. I don't and won't encourage skimping on something that should be the centerpiece of a network, especially one with a VPN. If I make a guide it will be safe to use by those who are in critical need of strong privacy but also need to use the clear -net for things such as VOIP or gaming. I Strongly recommend Server class equipment throughout. I run a server board with four onboard intel NIC's, a XEON E3 1270 v3 and 16 gigs of ECC memory (8 would have been fine, the most I have used is 6, but it was only $50 more for 16). I take privacy serious and will only make a tutorial which reflects this.
  14. Ok here is a tutorial for you to follow to best set up pfSense for AirVPN seeing that you have four NIC's to work with. We are going to leave one interface, the default LAN interface that is created during pfSense install, facing the clear-net and your ISP. This will give you the choice to use the regular internet for any needs you may have or if the VPN goes down by simply moving your network cable from one interface to the other. I am going to skip the OpenVPN setup since you already have it connected and focus on the setup of your interfaces, subnets, firewall rules and NAT. Ready? Here we go! First of all because you are using high quality Intel server NIC's, lets start by making sure we are utilizing the power of them and offload as much as we can from that AMD Processor. 1.) Go to System > Advanced > Networking (https://192.168.1.1/system_advanced_network.php) 2.) Under the section titled Network Interfaces, Find the check box for Enable device polling and check [√] the box to enable it. 3.) Now find the check boxes right below this for Disable hardware checksum offload, Disable hardware TCP segmentation offload, and Disable hardware large receive offload. Make sure these three boxes ARE NOT CHECKED. Uncheck [ ] them if they are checked by default. 4.) Click [ SAVE ] 5.) Click [ Apply Changes ] 6.) Now go to Diagnostics > Reboot (https://192.168.1.1/reboot.php). Go ahead and reboot the system for these to take effect. The Intel drivers are the most developed and supported drivers for pfSense/freeBSD. You can benefit from these options and offload quite a bit from your cpu and improve overall performance. We can verify these are working by going to https://192.168.1.1/status.php (or replace 192.168.1.1 with whatever your GUI login is) and looking among the lines under the interfaces section you should see "polling" as well as the other options for offloading listed amongst the interfaces. Here is a line from mine: options=407fb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,POLLING,VLAN_HWCSUM,TSO4,TSO6,LRO,VLAN_HWTSO> Your results may vary depending if the card you have supports all of this. Keep an eye for any that do not show up, and disable as necessary. Keep a keen eye for "LRO" which is Large Recieve Offload. If that does not show up as enabled, go back and check that box and reboot. Now that we have that set we need to enable a third NIC and undo any settings you may have now from the other tutorial you followed that are not compatible. Before that I want to set a few parameters for the purposes of this tutorial. You may change these as you wish but I will refer to them as such throughout the tutorial and it may be easier for you to name them the same for later reference: WAN (likely em0 interface) = ISP Gateway = WAN_DHCP (default) - This will remain the default gateway set up with my method, we likely have to "undo" this for you. LAN (likely em1 interface) = 192.168.1.1/24 = Clear-Net facing NIC AirVPN_WAN (likely ovpn1 interface) = AirVPN Gateway AirVPN_LAN (likely em2 interface)= 192.168.123.1 / 24 = VPN facing NIC Opt1 = the interface we will program/assign to be our AirVPN_LAN Before we "start" lets set a few things so you do not lose internet connectivity during setting this up while concurrently setting up our WAN and LAN Interfaces the way we need it. ################################################################################# ################################################################################# Let's make sure the WAN interface is our default gateway. 1.) Go to System > Routing (https://192.168.1.1/system_gateways.php) 2.) On the "Gateways" tab and on the "WAN_DHCP" line select the [e] edit button on the right. 3.) Set as Follows: Interface = [ WAN ] Address Family = [ IPv4 ] Default Gateway = [√] checked Click [sAVE] Click [ Apply Changes ] ################################################################################# ################################################################################# Let's set up the primary DNS servers which will be used by the LAN interface. Go to System > General Setup: DNS servers (https://192.168.1.1/system.php) We are going to set two of the DNS servers to OpenDNS and leave the other two blank. Set as Follows: DNS Server Use gateway [ 208.67.222.222 ] [ WAN_DHCP ] [ 208.67.220.220 ] [ WAN_DHCP ] [ (empty) ] [ none ] [ (empty) ] [ none ] [ ] Allow DNS server list to be overwritten by DHCP/PPP on WAN = UNCHECKED [ ] Do not use the DNS Forwarder as a DNS server for the firewall = UNCHECKED Click [sAVE] ################################################################################# ################################################################################# Let's set up the LAN interface: Go to Interfaces > LAN (https://192.168.1.1/interfaces.php?if=lan) Set it as follows: General configuration Enable = [√] Description = LAN IPv4 Configuration Type = Static IPv4 IPv6 Configuration Type = none MAC address = (empty) MTU = (empty) MSS = (empty) Speed and duplex = Advanced > Autoselect Static IPv4 configuration IPv4 address = 192.168.1.1 / 24 Gateway = none Private networks Both options here are left UNCHECKED / NOT CHECKED Click [sAVE] Click [ Apply Changes ] (NOTE: if you get locked out of the GUI here, give your pc a static ip in the 192.168.1.1/24 range and your DNS to 192.168.1.1 until we finish. 192.168.1.50 should suffice.) ################################################################################# ################################################################################# Let's set the DHCP Server for the LAN interface. 1.) Go to Services > DHCP server (https://192.168.1.1/services_dhcp.php) 2.) Ensure the "LAN" tab is selected 3.)Set it as follows (Only options we will change are listed, leave the rest as they were by default): Enable DHCP server on LAN interface = [√] (checked) Range = [ 192.168.1.100 ] to [ 192.168.1.200 ] Click [sAVE] Click [ Apply Changes ] ################################################################################# ################################################################################# Let's set up the outgoing NAT for the LAN interface. 1.) Go to Firewall > NAT > Outbound (https://192.168.1.1/firewall_nat_out.php) 2.) Ensure Manual Outbound NAT rule generation - (AON - Advanced Outbound NAT) is selected. 3.) Click [ SAVE ] 4.) Click [ Apply Changes ] 5.) If there is already a rule for your LAN interface, select the [e] button to the right of it. If there is not a rule for your LAN, you will need to create one by selecting the [+] at the top right and creating a new one. 6.) Set as follows: Do not NAT = [ ] (unchecked) Interface = WAN Protocol = Any Source = Type: [ Network ] Address: [ 192.168.1.0 ] / [ 24 ] Source port: [ ] (empty/blank) Destination: Type = [ Any ] Translation: Address = [ Interface Address ] Description = [ LAN -> WAN ] Click [ SAVE ] Click [ Apply Changes ] ################################################################################# ################################################################################# Now we must set a few firewall rules for the LAN Interface to enforce the policy based routing and redundantly block leaks. We will set these in "reverse" order so that they should end up in the order we need them. This is assuming the only rule you have is the Anti-lockout rule. If you have advanced rules for your other needs you will just have to move these rules into place. There are two necessary rules for the LAN interface. The first is a "Block Everything rule, this MUST be at the very bottom of the list. 1.) Go to Firewall > Rules and select your "LAN" interface. Click the [+] on the right to "Add New Rule" and create a rule we will title "BLOCK ALL ELSE LAN" Action = [block] Interface = [LAN] TCP/IP Version = [iPv4] Protocol = [Any] Source = [ Any ] Destination = [ Any ] Log packets that are handled by this rule = [√] (checked, enable this to be able to diagnose when you potentially block yourself ) Description = BLOCK ALL ELSE LAN *** For this rule we will NOT set the advanced setting for gateway, it should be left as default 2.) Click [ SAVE ] 3.) Click [ Apply Changes ] 4.) The second is the rule that will force traffic from the LAN interface to only exit via the WAN interface. This rule should be second from the bottom, right above the Block All rule Go to Firewall > Rules and Select your "LAN" interface. Click the [+] on the right to "Add New Rule" and create a rule we will title "Allow LAN to any rule" (Note: There may already be a rule titled "Default allow LAN to any" or similar. You certainly can just edit that entry to these settings, or delete and create this..) Action = [ Pass ] Interface = [ LAN ] TCP/IP Version = [ IPv4 ] Protocol = [ Any ] Source = [ LAN Subnet ] Destination = [ Any ] Description = Default allow LAN to any rule IMPORTANT STEP --> ADVANCED FEATURES > GATEWAY = WAN_DHCP ################################################################################# ################################################################################# OK, let's enable that third NIC. 1.) Go to Interfaces > Assign (https://192.168.1.1/interfaces_assign.php) Here you will find your assigned interfaces. If you assigned them during original install you will see all four and should likely have a WAN, LAN, opt1 and opt2 (as well as ovpn1). If you did not assign them you will have to click the [+] button at the bottom right to assign another. Once it is assigned, click save. 2.) Now we need to select an "opt" interface and give it settings. Select one from the Interfaces drop down menu (likely Opt1). Set it as follows: General configuration Enable = [√] Description = AirVPN_LAN IPv4 Configuration Type = Static IPv4 IPv6 Configuration Type = none MAC address = (empty) MTU = (empty) MSS = (empty) Speed and duplex = Advanced > Autoselect Static IPv4 configuration IPv4 address = 192.168.123.1 / 24 Gateway = none Private networks Both options here are left UNCHECKED / NOT CHECKED 3.) Click [sAVE] 4.) Click [ Apply Changes ] ################################################################################# ################################################################################# Now we need to set up the DHCP Server for the AirVPN_LAN interface. 1.) Go to Services > DHCP server (https://192.168.1.1/services_dhcp.php) 2.)Select the Tab / Drop Down for AirVPN_LAN 3.) Set it as follows (Only options we will change are listed, leave the rest as they were by default): Enable DHCP server on AIRVPN_LAN_1 interface = [√] Range = [ 192.168.123.100 ] to [ 192.168.123.200 ] DNS servers = [ 10.4.0.1 ], [ 10.5.0.1 ] 4.) Click [ SAVE ] 5.) Click [ Apply Changes ] ################################################################################# ################################################################################# Let's set up the outgoing NAT for the AirVPN_LAN interface. 1.) Go to Firewall > NAT > Outbound (https://192.168.1.1/firewall_nat_out.php) 2.) Ensure Manual Outbound NAT rule generation - (AON - Advanced Outbound NAT) is selected. (It should be from earlier) 3.) You will need to select the [+] at the top right and creat a new one. 4.) Set as follows: Do not NAT = [ ] (unchecked) Interface = AirVPN WAN Protocol = Any Source = Type: [ Network ] Address: [ 192.168.123.0 ] / [ 24 ] Source port: [ ] (empty/blank) Destination: Type = [ Any ] Translation: Address = [ Interface Address ] Description = [ AirVPN_LAN -> AirVPN_WAN ] 5.) Click [sAVE] 6.) Move this rule to the top of the list 7.) Click [ Apply Changes ] ################################################################################# ################################################################################# Now we must create FOUR Firewall rules for the AirVPN_LAN Interface to enforce the policy based routing and redundantly block leaks. There will be two rules exactly the same as for the LAN interface, as well as two rules to redundantly ensure no possibility of a DNS leak. You should have no firewall rules here since this is a new interface. If there are any rules, just delete them. We will again make them in "Reverse" order so that they should end up in the order that is neccesary. The first is a "Block Everything rule, this MUST be at the very bottom of the list. 1.) Go to Firewall > Rules and select your "AirVPN LAN" interface. Click the [+] on the right to "Add New Rule" and create a rule we will title "BLOCK ALL ELSE AirVPN_LAN" Action = [ Block ] Interface = [ AirVPN_LAN ] TCP/IP Version = [ IPv4 ] Protocol = [ Any ] Source = [ Any ] Destination = [ Any ] Log packets that are handled by this rule = [√] (checked, enable this to be able to diagnose when you potentially block yourself ) Description = BLOCK ALL ELSE AirVPN_LAN *** For this rule we will NOT set the advanced setting for gateway, it should be left as default. This will block connections to any and all gateways this interface tries to connect to that we have not explicitly allowed. 2.) Click [ SAVE ] 3.) Click [ Apply Changes ] 4.) The second is the rule that will force traffic from the AirVPN_LAN interface to only exit via the AirVPN_WAN interface. This rule should be second from the bottom, right above the Block All rule Go to Firewall > Rules and Select your "AirVPN_LAN" interface. Click the [+] on the right to "Add New Rule" and create a rule we will title "Allow AirVPN_LAN to any rule" Action = [ Pass ] Interface = [ AirVPN_LAN ] TCP/IP Version = [ IPv4 ] Protocol = [ Any ] Source = [ AirVPN_LAN Subnet ] Destination = [ Any ] Description = Allow AirVPN_LAN to any IMPORTANT STEP --> ADVANCED FEATURES > GATEWAY = AirVPN_WAN 5.) The third rule we will will block all DNS requests that we do not explicitly allow. Go to Firewall > Rules and Select your "AirVPN_LAN" interface. Click the [+] on the right to "Add New Rule" and create a rule we will title "BLOCK_DNS_LEAKS" Action = [ Block ] Interface = [ AirVPN_LAN ] TCP/IP Version = [ IPv4 ] Protocol = [ UDP ] Source = [ Any ] Destination = [ Any ] Destination port range = [ DNS ] (Select from the drop down) Log = [√] (checked Description = BLOCK_DNS_LEAKS *** For this rule we will NOT set the advanced setting for gateway 6.) Before we create our last rule, we must create an alias for our AirVPN DNS servers. Go to Firewall > Aliases: IP (https://192.168.1.1/firewall_aliases.php?tab=ip) Click the [+] to "Add a new Alias" Name = AirVPN_DNS_Servers Description = AirVPN_DNS_Servers Type = Hosts Under the "Hosts" section, using the [+] near the bottom create new entries and enter two or more of the following AirVPN DNS Servers: 10.4.0.1, 10.5.0.1, 10.6.0.1, 10.7.0.1, 10.8.0.1, 10.9.0.1, 10.30.0.1, 10.50.0.1 Click "Save" 5.) Go to Firewall > Rules and Select your "AirVPN_LAN" interface. Click the [+] on the right to "Add New Rule" and create a rule we will title "ALLOW_AirVPN_DNS" Action = Pass Interface = AirVPN_LAN TCP/IP Version = IPv4 Protocol = UDP Source = Any Destination = (Single host or Alias) AirVPN_DNS_Servers Destination port range = DNS Description = ALLOW_AirVPN_DNS IMPORTANT STEP --> ADVANCED FEATURES > GATEWAY = AirVPN_WAN The order of the rules we just created is important! They should appear in this following order when viewed: ALLOW_AirVPN_DNS BLOCK_DNS_LEAKS Allow AirVPN_LAN to any BLOCK ALL ELSE AirVPN_LAN ################################################################################# ################################################################################# The last thing we must do (unless I have forgot something, which I will just go back and edit if I have) is to properly set up our DNS Forwarder for our uses. 1.) Go to Services > DNS Forwarder (https://192.168.1.1/services_dnsmasq.php) 2.) Find the section titled "Interfaces". By default all interfaces are selected. Using the Ctrl key, select only the interface/s you wish to face your ISP, which for this tutorial, let's only select LAN and possibly Localhost (Be aware if you do choose to highlight localhost that if you do a dns lookup within pfsense (for instance from the firewall logs) this may be a potential privacy leak as this will use the ISP facing DNS servers you set under System > General Setup > DNS Servers. For my uses since I am not a whistleblower and this is not critical, I choose to have localhost highlighted. Not highlighting only affects these lookups and is not critical to the functionality of your firewall. There are a number of websites that can do this for you once you are accessing through the vpn if you need it.) 2.) Under this there is a check box titled "Strict Interface Binding". Check this box to enable it, 3.) Click [ SAVE ] 4.) Click [ Apply Changes ] ################################################################################# ################################################################################# ################################################################################# ################################################################################# That's it! You should be off and running with a basic setup for multiple NIC's. Remember our LAN interface faces the clear-net, and AirVPN_LAN will face the VPN. You can now add your fourth interface and set it up either exactly like the LAN, or exactly like the AirVPN_LAN.depending on how you intend to use it. Just give it an individual name and set the rules accordingly. Do not forget to disable the DNS forwarder for any additional interface. I hope this works for you! Good luck, let me know if you need assistance.
  15. Excellent. Looking at that snapshot, might I suggest disabling IPv6 on that interface... and perhaps QoS, File and printer sharing (unless you actually share this from this computer), link layer topology discovery responder (lets other computers on your lan discover your computer) and netbios from the IPv4 Properties > General> Advanced > WINS. I suggest this because I assume you are not using features that use this on a computer connected to a VPN. Perhaps you are... but these things can always be reversed. That website is the exact IP address of airvpn.org. This is the address a DNS would retrieve for your computer if you typed in the name "www.airdns.org". If We are directly accessing this because this does not require the use of a DNS. If you are able to access this during a down time it will verify where our problem is. Hopefully now your IP and DNS setting in windows are set to obtain addresses automatically. If pfSense is configured correctly these will be served to any device connected to a NIC directed to do so. No offense meant to Knicker, he has been a great help to the community and his guide is appreciated by many, but I find it to be a bit incomplete as well as disagreeing with the methods in a few sections. This is one I disagree with. pfSense is not like Windows at all. Windows is designed to try to keep it's users connected by all means possible... for the lay person mostly. It will circumvent some rules to keep connected. pfSense on the other hand is based off freebsd. It is much more secure in that it will not do or allow anything that you do not explicitly tell it to do. No, for our uses and more correct would be to disable the DNS Forwarder on VPN interfaces and set the DNS servers on each NIC's DHCP Server page. This combined with checking the "Skip rules when gateway is down" box found at System > Advanced > Miscellaneous. From the description: "By default, when a rule has a specific gateway set, and this gateway is down, rule is created and traffic is sent to default gateway. This option overrides that behavior and the rule is not created when gateway is down", so by default we are/were telling pfSense to fall back to another Gateway. By checking this check box, which is correct for our uses, pfSense simply will not fail over a down VPN connection to another gateway. For the paranoid, four firewall entries on a VPN facing NIC will both block all possible DNS leaks as well as guarantee the connection itself does not leak, even if someone tries. This is how I have mine set, and would like for you to try. Fantastic! You have extra NIC's for us to use. This will help us as well as teach you how to use the extras. The guide I began to post in another thread will greatly help you. I am going to copy that post I made as well as add to it here so you can enable another interface. But first we have to undo your settings for your current LAN interface and set it correctly. I hope you will try this, I am just going to work on the tutorial right after posting this since I have the time tonight. Please start by following the step I posted above and checking that check box.
  16. What I am asking about the assigned IP is this: If you go to your network settings (I'll assume you are using Windows, so "Network and Sharing Center) on your computer, double click on your NIC, and select "Details", what information is provided. It is important we know what it says when it is malfunctioning. It may also be useful to have a snapshot from when it is working. You can highlight the text and use ctrl+c to copy the text. As you can see from this snapshot, DHCP is enabled and pfSense has served me an IP adress. Further, pfSense has served me the correct DNS srvers as well. This is what it should look like when functioning. Connection-specific DNS Suffix: XXXXXXXXXXX Description: XXX PCIe GBE Controller Physical Address: ‎XX-XX-XX-XX-XX-XX DHCP Enabled: Yes IPv4 Address: 192.168.XXX.XXX IPv4 Subnet Mask: 255.255.255.0 Lease Obtained: Saturday, January 25, 2014 12:15:37 AM Lease Expires: Sunday, January 26, 2014 1:15:45 PM IPv4 Default Gateway: 192.168.XXX.1 IPv4 DHCP Server: 192.168.XXX.1 IPv4 DNS Servers: 10.4.0.1, 10.5.0.1 IPv4 WINS Server: NetBIOS over Tcpip Enabled: No From what you have noted about the gateway statuses, everything there seems to be OK there, which leaves us to seek out other issues. The connection is up so it is not pfSense, AirVPN or your ISP. I suspect it is an issue with the DHCP server and/or the DNS Forwarder, with an emphasis on the DNS Forwarder (This would explain why you CAN log into pfSense and yet have no internet access.. If this is the case, it should be easy to correct with a bit of troubleshooting. In the mean time, next time you have this 5 minute delay, can you please enter https://95.211.138.143/ into your web browser? It is the direct IP address for airvpn.org. If this loads, we know it is a DNS Forwarder issue. I too was going to ask you about the advanced section. I do not think it has to do with your problem, but everyone should have a few entries there, at the very least to match the settings in the .OVPN files provided to us by AirVPN. Further then that, you can use this area to tweak settings towards your use once you become familiar with the options such as the "verb" setting. This setting controls how much info is shown in the logs. Default is 3, I use 4. The range is 1-5. Here is what I use, you may copy and paste this following string into yours if you wish: ns-cert-type server; verb 4; tun-mtu 1500; mssfix 1400; explicit-exit-notify 5; mute-replay-warnings; mute 20; But this brings me to another question, what hardware do you have pfSense installed on... what CPU are you using? I see you use intel NICs which is good. Any serious pfSense install should use intel NICs due to the support they have for BSD. I hope we can sort you out soon, after I post this, I am going to install Untangle on a separate hard drive to evaluate it compared to pfSense for my needs. I likely need to switch to Untangle mostly for it's ability to filter ads.
  17. refresh, I have a few questions for you that may help me help you with this issue. When you first come back from being away: 1.) Does your computer have an assigned IP address from pfSense? 2.) Are you able to log into pfSense? If yes, does Status > Gateways show a "online" connection to AirVPN or is it down? If you cannot log in what does the RRD Graph show for that time period? It will tell you if you have been disconnected or if the connection has remained. Also, are you running DHCP or static IP on your computer?
  18. Yes, I leave pfSense running 24/7... that is it's intended use. It is the firewall and router for my entire network and must be on at all times. To monitor packet loss on the AirVPN gateway you must enter a monitoring IP. I simply use 10.4.0.1 and it works well enough. Go to System > Routing The Gateways tab is already selected, so go to your AirVPN gateway on the page and find and select [e] edit button on the right. Find Monitor IP and enter your monitor IP of choice. 10.4.0.1 works. You will now be able to monitor packet loss on that gateway both under Status > Gateways and Status > RRD Graphs > Quality The RRD Graphs may give you some insight into why you are disconnecting.
  19. No, they do not drop when not in use. I do not have this issue. I have noticed you seem to have a number of issues with your setup. I do not have any of the issues you state. They are are not normal. I have not responded before because it is not the fault of pfSense or AirVPN. You either have an issue with your ISP, choice of equipment, or human error in your install. Do you monitor your AirVPN gateway? What is the packet loss?
  20. It sounds to me the missing step for what you are trying to do may be setting an outbound NAT rule for that individual static IP that also designates the correct gateway. That rule has to be above the other outbound NAT rules for that interface or it will route it through the gateway that is default for that NIC first, negating the firewall rule. You would also likely have to assign DNS to the static ip under SERVICES > DHCP SERVER. Other than that, I disagree with this method as you have multiple NIC's. Each NIC should be either only for VPN or only for clear-net. Not that it cannot be done, but you have other NIC's and it is safer to isolate them. You can have VOIP, Gaming all on the original LAN from pfSense install facing clear net. Another NIC can be only VPN. A third NIC or more can be set for only VPN or only clear-net... it's up to you. But why mix gateways on one interface when you have multiple? I have given you the basics of how to set interfaces for a specific gateway. I will help if you wish to set it up for Single gateway per NIC. Soon I will have a tutorial as well.
  21. This is all assuming you have followed the other steps in the guide posted here to set up your interfaces, outbound NAT and advanced firewall routing rules to force traffic over the gateway it is intended for. My appologies if this does not help due to not covering enough steps. I have planned to make a full tutorial for those of us with multiple NIC's that is bulletproof as far as leaks. I have tested it for months and it works. I will post the tutorial as soon as I can find the time.
  22. JetFn1, The issue you are having is due to the guide you followed not being entirely accurate for those of us using multiple network interface cards. I have 8 NIC's which I will not explain fully in this post. I have my reasons but mainly I needed a NIC and subnet just for VOIP, an NIC and subnet just for XBOX traffic, an NIC and subnet just for ISP facing trafic, and multiple NIC's and subnets that are routed over the VPN. This facilitates much more managable firewall rules pages for each type of traffic and reduces the chance of human error. It also makes it much easier to monitor traffic when it is seperated by interface. Anyway, moving on. First of all, being that you want one NIC to face your ISP and another to face AirVPN, you do not need to follow the steps of switching the gateway of the initail "LAN" interface that is created during pfSense install. It is more trouble than it is worth renaming and editing certain characteristics of that interface, and is also uneccesary for us. Let that just be and focus on setting up the secondary NIC (which we will call AirVPN_LAN) to face airvpn by setting the advanced firewall rules to route the traffic over the AirVPN_WAN (or whatever you have named it) gateway. After this, we need to properly set up the DNS forwarder to not blindly forward the DNS servers to all NIC's, then properly set the DNS for the AirVPN_LAN. Setting it this way allows you to use the DNS servers of your choice (entered where you now currently have the AirVPN DNS servers under System > General Setup > DNS Servers) for *NON* VPN traffic and network interface cards. For your uses these will be used by your LAN. I choose to use my ISP's DNS here because for gaming the latency is important. You may choose OpenDNS or any other public DNS as well here, but not the AirVPN DNS servers because as you have noticed you must be connected for those to function. We will then manually set the AirVPN_LAN interface to use only the AirVPN DNS Servers under the DHCP Server settings page. I will stess this again, DNS servers set under System > General Setup > DNS Servers) are ONLY for *NON* VPN traffic and network interface cards. To use the AirVPN DNS servers on the proper interface/s there are extra steps involved. Here is how I have mine set up: 1.) Go to Services > DNS Forwarder, then find the section titled "Interfaces". By default all interfaces are selected. Using the Ctrl key, select only the interface/s you wish to face your ISP, and possibly localhost. (Be aware if you do choose to highlight localhost that if you do a dns lookup within pfsense (for instance from the firewall logs) this may be a potential privacy leak as this will use the ISP facing DNS servers you set under System > General Setup > DNS Servers. For my uses since I am not a whistleblower and this is not critical, I choose to have localhost highlighted. Not highlighting only affects these lookups and is not critical to the functionality of your firewall. There are a number of websites that can do this for you once you are accessing through the vpn if you need it.) 2.) Under this there is a check box titled "Strict Interface Binding". Check this box to enable it, then click "Save" 3.) Go to Services > DHCP server and select the tab for your "AirVPN_LAN" Find the section here titled "DNS Servers" and enter your AirVPN DNS server/s here (10.4.0.1 etc.) then click "Save" At this point pfSense will not serve the incorrect DNS servers anywhere, but we will go one step further and create firewall rules to block any potential DNS leaks by a program that seeks another DNS server on its own. This is in a sense redundant because if you have the advanced firewal rules set for the correct gateway, these requests would be funnled through the VPN anyway, but I still use them anyway since nothing should be attempting to use any other DNS, and these rules will block any such attempt. 4.) Go to Firewall > Aliases Click the [+] to "Add a new Alias" Name = AirVPN_DNS_Servers Description = AirVPN_DNS_Servers Type = Hosts Under the "Hosts" section, using the [+] near the bottom create new entries and enter two or more of the following AirVPN DNS Servers: 10.4.0.1, 10.5.0.1, 10.6.0.1, 10.7.0.1, 10.8.0.1, 10.9.0.1, 10.30.0.1, 10.50.0.1 Click "Save" 5.) Go to Firewall > Rules and Select your "AirVPN_LAN" interface. Click the [+] on the right to "Add New Rule" and create a rule we will title "ALLOW_AirVPN_DNS" Action = Pass Interface = AirVPN_LAN TCP/IP Version = IPv4 Protocol = UDP Source = Any Destination = (Single host or Alias) AirVPN_DNS_Servers Destination port range = DNS Description = ALLOW_AirVPN_DNS IMPORTANT STEP --> ADVANCED FEATURES > GATEWAY = AirVPN_WAN (or whatever you have named your AirVPN Gateway, it will appear in the drop down) 6.) Go to Firewall > Rules and Select your "AirVPN_LAN" interface. Click the [+] on the right to "Add New Rule" and create a rule we will title "BLOCK_DNS_LEAKS" Action = Block Interface = AirVPN_LAN TCP/IP Version = IPv4 Protocol = UDP Source = Any Destination = Any Destination port range = DNS Log = Checked (this will alert you in your firewall logs if something does attempt to use alternate DNS) Description = BLOCK_DNS_LEAKS *** For this rule we will NOT set the advanced setting for gateway 7.) Go to Firewall > Rules > AirVPN_LAN The order of the rules we just created is important! These rules should be near the top of your firewall rules list for this interface. Ideally the only rule above them sould be a GUI lockout rule, if you have one. Further then this, the "Allow" rule MUST BE ON TOP of the "Block" rule. You can select the rules check boxes and re-orgasnize them accordingly. That's it, you should be set to go. You can verify it is functioning correctly by going to any number of DNS leak test sites on anything connected to the VPN connected NIC. http://www.dnsleaktest.com/ https://www.grc.com/dns/dns.htm
×
×
  • Create New...