pfSense_fan

Yes, I built my pfSense firewall / router using PC equipment. I can get 100 Mbit+. I am limited by my internet connection, not my router.

There is a tutorial on this site, however I found it to be missing some info and confusing. I have been writing my own that I hope to release in late April. I'm very busy unfortunately.

Although you can use pretty much any pc equipment, I recommend server class equipment if your main use is VPN and you can afford it. Some server motherboards have 4 high end Intel NIC's built onto the board (saves a lot of money this way, many network cards are not compatible, server class intell work the best, pci-e cards are quite expensive) as well as have encryption instructions in the processors, mainly Ivy Bridge and the new Haswell Xeon. You can build one this way for $500-$600 depending if you have a spare hard drive, power supply and case around. If you do have those, all you need is the motherboard, processor and memory. I used an old laptop drive and a power supply and case from a pc that I no longer used.

http://www.pfsense.org/

....

 

I have checked the reflection setting and its set to disable.

 

....

 

I was going to ask can I use other DNS entries under general setup ? I see everything is air dns anyhow but would prefer to use logless dns servers

Thank you for checking that setting. I am researching it and couldn't remember the default.

You can use any DNS you want that is not the airvpn ones.

...........

 

So at this point its pretty much working 100% with clear net and airvpn.  Think ill save it few times!

 

Regarding the other guide, that sounds pretty good ill be the first guinea pig

That is great news! I'm glad it is working now. Perhaps go back to the post with my tutorial and mark it as solved then.

I'd also hope the staff can move this thread to the troubleshooting forum.

I look forward to your trying the tutorial. You convinced me to come up with a more basic setup with AirVPN default gateway for the masses.

I have one question though, as i have not reinstalled pfSense in quite some time, can you look at a setting and report to me what the default setting was?  If you go to System > Advanced > Firewall and NAT, at the bottom there is a setting for "NAT Reflection mode for port forwards ". What do you have set?

Yeah I think it was just that one error or two nothing too serious mind and things one could just continue on from. I will however redo those 2 firewall settings again:)

 

I checked under https://192.168.1.1/services_dnsmasq.php? and DNS forwarding is ticked and I have selected Lan and Localhost and both are highlighted with strict interface binding option.

 

Under : https://192.168.1.1/system.php? I have used your opendns both servers both gateways are to my wan_dhcp-wan xx.xx.xx.xx (ip address)

 

I ran into some other issues sadly with it, I think when I applied some of your other tweeks mentioned on the other post and when I went through your guide again double checking everything, the next day airvpn.org was blocked! Not sure what happen exactly... so I recalled a trick about entering the :

 

 

85.17.207.151 airvpn.org

212.117.180.25 airvpn.org

 

into my host file, once I done that I was able to get back onto air forums and website.... so not sure what happen there exactly. But it works regardless.

 

Also I noticed even though I am trying a Netherlands server  my browser activities seem to believe I am in Germany, perhaps Air Netherlands servers are using German dns... so when I go to google it goes to google.de by default. I will try another server and see how it goes though....

 

Strange occurrence also with speedtest it reports my real location (well close!) despite ipleak saying my IP is in Netherlands, ipleak also shows location in Netherlands on the google map.... so I was not sure about this either.

 

Still am happy to report the 5 minute wait issue is a thing of the past and after 2 months of trying you made that possible, so not enough thanks to express gratitude!

Oh well. At this point I don't know, that is exactly how i have been running mine.

That being said, I have been thinking long and hard during our adventure here, and all the while I have been writing my tutorial. I came up with a slightly different method that gets rid of the DNS Forwarder all together. It also uses AirVPN as the Default gateway. The only thing I don't cover is the initial installation, as there are many tutorials for that on the web. Other then that I tried to be as thorough as possible. I should be done with the tutorial this week. In fact, I almost finished last night but had domestic issues to tend to. Hang in there and when it's up I hope you'll give that a try.

Hopefully our trials here will help the community.

I do have an idea for your current issue though, the one I had earlier in the week. If you go to the windows "Network and Sharing Center" (Right click on your network adapter on the system tray)  you will see an icon under where it says "View your active Networks". Click the ICON (not the link). A new window pops up (Pro tip: you can also go back and name the connections here so that in your tray you know if you are connected to AirVPN or Clear-Net) and there is a link for "Merge or delete network locations". My guess is you will have multiple networks listed there. DELETE THEM ALL. This will ensure any bad setting that were buried deep on your "LAN" network are deleted and start fresh.You will receive your settings from dhcp. It seems windows is blocking you, hopefully this solves it.

If not, just hold on a few more days for my tutorial.

EDIT: Just another thought... are you rebooting after changing these settings? I guess I forget to mention because I assume it's standard knowledge... but when you change settings that affect a route you must reboot. You should reboot when you make changes just in case, even if not "required". I remembered that after I make some of these changes I too get blocked... until I reboot. Just a thought.

I went through your entire guide again and everything is ok ticked for tick, there was the one minor thing I noticed under "Default allow LAN to any rule" firewall rule

you mentioned to "Destination port range = [ Any ]" but no such option is on there? I just carried on with the guide.

Ah ha! We find a discrepancy! I looked at it and noticed a few incorrect entries in the Firewall rules section on both the LAN and AirVPN_LAN interface. I have edited and corrected them. You should delete your entries and re-enter them.

Otherwise tick for tick I have looked over it few times and its all the same. I tried clearnet network port again and now no net access at all. So it seems to have got worse, mind you before only a few sites opened but were opening...

 

I feel the clearnet is getting blocked or not getting dhcp/dns perhaps... I checked the network settings and it does say dhcp enabled on and ip/dns is still saying assigned to 192.168.1.1 (pfsense box).

I am somewhat at a loss here. I do not think correcting those firewall entries will help this part of it. Is the DNS Forwarder actually enabled under https://192.168.1.1/services_dnsmasq.php ?  It seems it is... your entries stating 192.168.1.1 are correct if it is enabled. It's odd that when you do a DNS leak test it finds no DNS at all. Are there any DNS entries entered under https://192.168.1.1/system.php ?  Are they set for WAN_DHCP as they should be? If that is not correct set and save those settings.

If that doesn't work I have another idea.

Would it help if I posted logs or my firewall screens or anything else?

Not at this time.

AirVPN network port is golden though, 4th day in a row and no issue at all which is pretty much 99% what I use

Good, as it should be.

I rarely use my LAN either... but it's there if we need it without out us having to reconfigure our entire setup. That's why I leave it. Eventually there will be times you will need it.

I use password managers to allow me to use ultra strong passwords as well as allow me to change them as frequently as needed and/or wanted.

My question is this:

1.) What is the maximum number of characters allowed in a password when registering or changing a password here at AirVPN? What is the maximum amount of characters allowed in usernames?

2.) What types of characters are allowed in passwords? What types are allowed in usernames?

My suggestion is this:

List this information next to the respective forms during registration and password/username change menus.

I believe this would be useful for many, especially those who use password managers.

3rd morning in a row and success, no sign of issue of dns/dhcp issues.... by monday morning will know 100% if fixed then I can add a switch and allow other devices to run under airvpn so looking very good

Excellent! What is the status of the LAN interface? Still not functioning?

Ok next day switched on and happy to report no 5 minute wait issue anymore, first day is a success with your new updated pfsense guide!  Upon Pc loading to desktop again the yellow triangle on network icon shows but 1-2 secs after it vanishes and internet is working 100%.

Excellent. The triangle is likely there due to power saving settings on your computer putting it to sleep.

I have just added the monitoring IP option and added your line of advanced configuration per your instructions, but noticed in the guide you did not mention about "Skip rules when gateway is down" option ?  Should I still do this as your earlier mentioned its good to do ?

Yes, click that. Firewall rules will block it otherwise, but still check that box.

Not too fussed with the clear net issue since I only wanted to connect to airvpn at all times but guess nice to have. If it works till Sunday morning its pretty much 100% fixed

None the less we should work it out so nothing is configured incorrectly. I have some ides but I work long hours today and tomorrow. Sunday or Monday I will list them.

First things first, pfSense does not use iptables. Iptables is a feature for the Linux Kernal.

pfSense uses "pf" hence it's name... making sense of pf. pfsense and pf are based off BSD and have nothing to do with Linux.

https://en.wikipedia.org/wiki/Iptables

https://en.wikipedia.org/wiki/PF_%28firewall%29

I have no experience with virtual machines and won't be much help in regards to trouble shooting, however I can tell you that when having more than one gateway active, my floating firewall rules are wonky at best. I stopped using them for rules on each intended interface.

Oh yeah forgot you mentioned that. I do have openic dns servers under general setup and then the same ones under dhcp dns settings....

 

I have checked ipleak and GRC dns spoof website and both reveal no ip or isp ips or leaks, can this still give real id away then ?

The answer to this is somewhat layered. Strictly technically speaking, if everything is set correctly you should be fine. That being said, however, if something is not set correctly or was to accidentally get changed it would be quite possible. If somehow the DNS Forwarder were to be activated, you would be sending DNS requests simultaneously from both the WAN and AirVPN_WAN. This could easily be correlated. Why I discourage it is because it is an expected redundancy, along with the firewall rules I had you make (which you are either not using or did not set correctly as those would block openic dns). Something is certainly not set correctly, so we cannot say for certain you are anonymous.  This is why I keep stressing the importance of uncovering why the AirVPN dns are being blocked.

I will try it fresh like you suggest its just nice after 2 months of having a possibly working set up and even then I would still like to try to make it to day 3 (tomorrow) and day 4 and then save that pfsense backup if its golden !

I still think this is the best idea. It will at the very least work like it does now, but ideally it should just work.

Have I mentioned that we need to figure out what is blocking AirVPN dns?

Again, it's a step in the right direction, but if you cannot use the Air DNS, it is not quite working. You need to solve that.

It leads me to believe something, your windows firewall, pfSense itself.... something is blocking the Air DNS. I would encourage you to change back to them and continue to troubleshoot until we find the actual issue. First thing we need is a snapshot of your windows NIC setting during a down time. Then also take a look at your pfsense logs and see if the firewall is blocking 10.4.0.1:53 etc..

Also, it is not safe to change all of the DNS setting to the same one, I explained the way to do it for a reason!, You are possibly sending dns requests from both the clear-net AND the VPN at the same time if you set the DNS forwarder AND the DHCP to server the same dns. DO NOT DO THAT! You can give your real identity away doing this. Unfortunately you must not understand how the dns forwarder works. I wish I had time to explain.

I cannot stress enough that you need to get the Air dns working. They do work... that's all i've ever used for my AirVPN connection.

Hi, I did reboot after the entire set up I think I may just have to go through it again I noticed a few of knickers previous settings in place so was trying to delete them to kinda merge your guide into it, but perhaps did not get it 100%. Perhaps like you suggest start from fresh if I install the Certs which takes a minute and then continue from your guide ? I was unsure which point to resume

If you start from scratch, the WAN will already be your default gateway and stays that way as long as you do NOT set the AirVPN_WAN as default when you enable it. If you install your certs, set up your openvpn client, enable the ovpn1 interface, add the new gateway... you can follow my guide from there.

That is very interesting what you mentioned about the pci 3.0 slot I do have my intel nic card inside that long 16x pci express slot. Not quite sure if its 2.0 or 3.0 however. Manufacturers website does not mention what it is since it only offers basic info ie cpu/ram in fact it does not even mention the slots or mobo.

I will have to do some investigating but will check the bios and further research this mobo sadly it only has 1x16x slot and 1x1x express slot.

I know this because I have used those cards before and had ports dropping out, After researching it, I found there was an issue with the PCIe compatibility, Some of the older cards need PCIe 1.0 compatibility, Search through your bios and see if there is an option for this. My bios does have the option and I have them set to 2.0

I did consider a hp or dell workstation but my idea originally was to look for a very low powerered system, my AMD 1.5x quad cpu supports AES so I dont see no more then 15-20% cpu usage during maxed out downloading the whole system consumes 35watts with no noise and is a tiny mini itx system which I can hide out the way.  I do agree with you regarding the extra nics, this was why I originally brought 4 nics and spent the extra bit of money over a 2 port intel nic.... I just feel if I can get 1 port to work it would be a miracle at this point

No offense was meant. I just far too often see people end up spending as much as they would for a server board with four built in NICs and built in vga, 4-8 gigs of ecc memory and a XEON E3 1220 v3.. because in their efforts to save they find out the cheap stuff is not compaible. A build as I suggest can be had for $500-$700 depending on choices in hard drive, power supply and case, or if one has parts like that laying around from old builds already.

Yesterday afternoon I applied some of your settings and suggestions of disabling both VPN interfaces with control key for DNS forwarding and also I tried openics dns instead of air dns under the dhcp server settings and general setup, this morning I got the little triangle and upon opening browser but it vanshed and loaded the website fully.

While good in a way, we should not have to delete the AirVPN DNS. This seems to be our core problem, and we need to solve why those are being blocked. Perhaps your firewall on your pc is blocking them? Did you take a snapshot of your network setting when it was down?

This is looking positive however as I mentioned sometimes I do get instant access....and no 5 minute wait, the true test would be testing it successfully every day for 4-5 days!

 

But hopefully a step in the right direction.

In fact I maybe able to work out if it maybe fixed, when you first switch on your pc or laptop do you notice your network icon in bottom right to still have a yellow triangle which quickly goes once windows is fully loaded ? 

Sometimes if I have rebooted pfSense, yes there is a yellow triangle. As soon as i do anything that uses internet it just goes away.

One other option we have is to set a static IP for your computer within pfSense.

One way or another we need to continue to sort this out! It's looking positive... I want to figure out why the AirVPN DNS don't work though. They should.

Still thank you very much for the guides and future ones I think once I have got the basic setup working I can dabble with more, and I look forward to your other guides.

Absolutely. Hopefully our work here will help others too.

Did you reboot the system after my guide? You should always reboot after major changes...

Also, those older Intel 4 port cards have issues if installed into a PCIe 3.0 slot. Not sure what your motherboard has, but if they are 3.0 you may want to check the bios and set it back to 2.0 compatability.

If that does not work, are you opposed to starting from a fresh install? It may be the best option at this point. If you can input your certificates,Besides the certs, this is how I set mine up. I have had sixteen NICs running successfully at one point, no leaks, internet cuts out on VPN facing NIC's if the VPN fails.

I do plan to make an entire guide... what I wrote here will be nearly exactly what I write so none of this is a waste. I have been writing a guide that more clearly shows how to enter certificates, but although Knicker's guide is hard to follow, it is correct there .It is however time consuming, and i do not get much free time latel so I do not know when I will complete a full guide.

Just a thought...How many rules do you have for Outbound Nat? There should be one for each NIC and no more. If there are other rules, delete them.

Edit: I will not however make a guide for only two interfaces, regardless of the interest in it. I do not consider it safe and/or a proper use of pfSense: there is too much room for error. One can acquire a third enterprise class NIC for $15-$20 or a dual NIC card for $25-$35. Brand new (old stock) four port adapters can be found for $50-$75. I can even skip buying extra NIC's in the first place with proper system planning and buy a Server motherboard that has 4 NIC's built in as well as integrated vga. I don't and won't encourage skimping on something that should be the centerpiece of a network, especially one with a VPN. If I make a guide it will be safe to use by those who are in critical need of strong privacy but also need to use the clear -net for things such as VOIP or gaming. I Strongly recommend Server class equipment throughout. I run a server board with four onboard intel NIC's, a XEON E3 1270 v3 and 16 gigs of ECC memory (8 would have been fine, the most I have used is 6, but it was only $50 more for 16). I take privacy serious and will only make a tutorial which reflects this.

Ok here is a tutorial for you to follow to best set up pfSense for AirVPN seeing that you have four NIC's to work with. We are going to leave one interface, the default LAN interface that is created during pfSense install, facing the clear-net and your ISP.

This will give you the choice to use the regular internet for any needs you may have or if the VPN goes down by simply moving your network cable from one interface to the other. I am going to skip the OpenVPN setup since you already have it connected and focus on the setup of your interfaces, subnets, firewall rules and NAT. Ready? Here we go!

First of all because you are using high quality Intel server NIC's, lets start by making sure we are utilizing the power of them and offload as much as we can from that AMD Processor.

1.) Go to System > Advanced > Networking (https://192.168.1.1/system_advanced_network.php)

2.) Under the section titled Network Interfaces, Find the check box for Enable device polling and check [√] the box to enable it.

3.) Now find the check boxes right below this for Disable hardware checksum offload, Disable hardware TCP segmentation offload, and Disable hardware large receive offload. Make sure these three boxes ARE NOT CHECKED. Uncheck [  ] them if they are checked by default.

4.) Click [ SAVE ]

5.) Click [ Apply Changes ]

6.) Now go to Diagnostics > Reboot  (https://192.168.1.1/reboot.php).

Go ahead and reboot the system for these to take effect. The Intel drivers are the most developed and supported drivers for pfSense/freeBSD. You can benefit from these options and offload quite a bit from your cpu and improve overall performance.  We can verify these are working by going to https://192.168.1.1/status.php (or replace 192.168.1.1 with whatever your GUI login is) and looking among the lines under the interfaces section you should see "polling" as well as the other options for offloading listed amongst the interfaces.

Here is a line from mine:

options=407fb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,POLLING,VLAN_HWCSUM,TSO4,TSO6,LRO,VLAN_HWTSO>

Your results may vary depending if the card you have supports all of this. Keep an eye for any that do not show up, and disable as necessary. Keep a keen eye for "LRO" which is Large Recieve Offload. If that does not show up as enabled, go back and check that box and reboot.

Now that we have that set we need to enable a third NIC and undo any settings you may have now from the other tutorial you followed that are not compatible. Before that I want to set a few parameters for the purposes of this tutorial. You may change these as you wish but I will refer to them as such throughout the tutorial and it may be easier for you to name them the same for later reference:

WAN (likely em0 interface) = ISP Gateway = WAN_DHCP (default) - This will remain the default gateway set up with my method, we likely have to "undo" this for you.

LAN (likely em1 interface) = 192.168.1.1/24 = Clear-Net facing NIC

AirVPN_WAN (likely ovpn1 interface) = AirVPN Gateway

AirVPN_LAN (likely em2 interface)= 192.168.123.1 / 24 = VPN facing NIC

Opt1 = the interface we will program/assign to be our AirVPN_LAN

Before we "start" lets set a few things so you do not lose internet connectivity during setting this up while concurrently setting up our WAN and LAN Interfaces the way we need it.

#################################################################################

#################################################################################

Let's make sure the WAN interface is our default gateway.

1.) Go to System > Routing  (https://192.168.1.1/system_gateways.php)

2.) On the "Gateways" tab and on the "WAN_DHCP" line select the [e] edit button on the right.

3.) Set as Follows:

Interface = [ WAN ]

Address Family = [ IPv4 ]

Default Gateway = [√] checked

Click [sAVE]

Click [ Apply Changes ]

#################################################################################

#################################################################################

Let's set up the primary DNS servers which will be used by the LAN interface.

Go to System > General Setup: DNS servers  (https://192.168.1.1/system.php)

We are going to set two of the DNS servers to OpenDNS and leave the other two blank.

Set as Follows:

DNS Server                Use gateway

[ 208.67.222.222 ]      [ WAN_DHCP ]

[ 208.67.220.220 ]      [ WAN_DHCP ]

[        (empty)       ]      [       none       ]

[        (empty)       ]      [       none       ]

[  ]    Allow DNS server list to be overwritten by DHCP/PPP on WAN  = UNCHECKED

[  ]    Do not use the DNS Forwarder as a DNS server for the firewall = UNCHECKED

Click [sAVE]

#################################################################################

#################################################################################

Let's set up the LAN interface:

Go to Interfaces > LAN  (https://192.168.1.1/interfaces.php?if=lan)

Set it as follows:

General configuration

Enable = [√]

Description = LAN

IPv4 Configuration Type = Static IPv4

IPv6 Configuration Type = none

MAC address = (empty)

MTU = (empty)

MSS = (empty)

Speed and duplex = Advanced > Autoselect

Static IPv4 configuration

IPv4 address = 192.168.1.1 / 24

Gateway = none

Private networks

Both options here are left UNCHECKED / NOT CHECKED

Click [sAVE]

Click [ Apply Changes ]

(NOTE: if you get locked out of the GUI here, give your pc a static ip in the 192.168.1.1/24 range and your DNS to 192.168.1.1 until we finish. 192.168.1.50 should suffice.)

#################################################################################

#################################################################################

Let's set the DHCP Server for the LAN interface.

1.) Go to Services > DHCP server  (https://192.168.1.1/services_dhcp.php)

2.) Ensure the "LAN" tab is selected

3.)Set it as follows (Only options we will change are listed, leave the rest as they were by default):

Enable DHCP server on LAN interface = [√] (checked)

Range = [ 192.168.1.100 ] to [ 192.168.1.200 ]

Click [sAVE]

Click [ Apply Changes ]

#################################################################################

#################################################################################

Let's set up the outgoing NAT for the LAN interface.

1.) Go to Firewall > NAT > Outbound  (https://192.168.1.1/firewall_nat_out.php)

2.) Ensure Manual Outbound NAT rule generation - (AON - Advanced Outbound NAT) is selected.

3.) Click [ SAVE ]

4.) Click [ Apply Changes ]

5.) If there is already a rule for your LAN interface, select the [e] button to the right of it. If there is not a rule for your LAN, you will need to create one by selecting the [+] at the top right and creating a new one.

6.) Set as follows:

Do not NAT = [  ] (unchecked)

Interface = WAN

Protocol = Any

Source = Type: [ Network ]

                Address: [ 192.168.1.0 ] / [ 24 ]

                Source port: [        ] (empty/blank)

Destination: Type = [ Any ]

Translation: Address = [ Interface Address ]

Description = [ LAN -> WAN ]

Click [ SAVE ]

Click [ Apply Changes ]

#################################################################################

#################################################################################

Now we must set a few firewall rules for the LAN Interface to enforce the policy based routing and redundantly block leaks.

We will set these in "reverse" order so that they should end up in the order we need them. This is assuming the only rule you have is the Anti-lockout rule. If you have advanced rules for your other needs you will just have to move these rules into place. There are two necessary rules for the LAN interface.

The first is a "Block Everything rule, this MUST be at the very bottom of the list.

1.) Go to Firewall > Rules and select your "LAN" interface.

Click the [+] on the right to "Add New Rule" and create a rule we will title "BLOCK ALL ELSE LAN"

Action = [block]

Interface = [LAN]

TCP/IP Version = [iPv4]

Protocol = [Any]

Source = [ Any ]

Destination = [ Any ]

Log packets that are handled by this rule = [√] (checked, enable this to be able to diagnose when you potentially block yourself )

Description = BLOCK ALL ELSE LAN

*** For this rule we will NOT set the advanced setting for gateway, it should be left as default

2.) Click [ SAVE ]

3.) Click [ Apply Changes ]

4.) The second is the rule that will force traffic from the LAN interface to only exit via the WAN interface. This rule should be second from the bottom, right above the Block All rule

Go to Firewall > Rules and Select your "LAN" interface.

Click the [+] on the right to "Add New Rule" and create a rule we will title "Allow LAN to any rule" (Note: There may already be a rule titled "Default allow LAN to any" or similar. You certainly can just edit that entry to these settings, or delete and create this..)

Action = [ Pass ]

Interface = [ LAN ]

TCP/IP Version = [ IPv4 ]

Protocol = [ Any ]

Source = [ LAN Subnet ]

Destination = [ Any ]

Description = Default allow LAN to any rule

IMPORTANT STEP --> ADVANCED FEATURES  >  GATEWAY = WAN_DHCP

#################################################################################

#################################################################################

OK, let's enable that third NIC.

1.) Go to Interfaces > Assign (https://192.168.1.1/interfaces_assign.php)

Here you will find your assigned interfaces. If you assigned them during original install you will see all four and should likely have a WAN, LAN, opt1 and opt2 (as well as ovpn1). If you did not assign them you will have to click the [+] button at the bottom right to assign another. Once it is assigned, click save.

2.) Now we need to select an "opt" interface and give it settings.

Select one from the Interfaces drop down menu (likely Opt1).

Set it as follows:

General configuration

Enable = [√]

Description = AirVPN_LAN

IPv4 Configuration Type = Static IPv4

IPv6 Configuration Type = none

MAC address = (empty)

MTU = (empty)

MSS = (empty)

Speed and duplex = Advanced > Autoselect

Static IPv4 configuration

IPv4 address = 192.168.123.1 / 24

Gateway = none

Private networks

Both options here are left UNCHECKED / NOT CHECKED

3.) Click [sAVE]

4.) Click [ Apply Changes ]

#################################################################################

#################################################################################

Now we need to set up the DHCP Server for the AirVPN_LAN interface.

1.) Go to Services > DHCP server  (https://192.168.1.1/services_dhcp.php)

2.)Select the Tab / Drop Down for AirVPN_LAN

3.) Set it as follows (Only options we will change are listed, leave the rest as they were by default):

Enable DHCP server on AIRVPN_LAN_1 interface = [√]

Range = [ 192.168.123.100 ] to [ 192.168.123.200 ]

DNS servers = [ 10.4.0.1 ], [ 10.5.0.1 ]

4.) Click [ SAVE ]

5.) Click [ Apply Changes ]

#################################################################################

#################################################################################

Let's set up the outgoing NAT for the AirVPN_LAN interface.

1.) Go to Firewall > NAT > Outbound  (https://192.168.1.1/firewall_nat_out.php)

2.) Ensure Manual Outbound NAT rule generation - (AON - Advanced Outbound NAT) is selected. (It should be from earlier)

3.) You will need to select the [+] at the top right and creat a new one.

4.) Set as follows:

Do not NAT = [  ] (unchecked)

Interface = AirVPN WAN

Protocol = Any

Source = Type: [ Network ]

                Address: [ 192.168.123.0 ] / [ 24 ]

                Source port: [        ] (empty/blank)

Destination: Type = [ Any ]

Translation: Address = [ Interface Address ]

Description = [ AirVPN_LAN -> AirVPN_WAN ]

5.) Click [sAVE]

6.) Move this rule to the top of the list

7.) Click [ Apply Changes ]

#################################################################################

#################################################################################

Now we must create FOUR Firewall rules for the AirVPN_LAN Interface to enforce the policy based routing and redundantly block leaks. There will be two rules exactly the same as for the LAN interface, as well as two rules to redundantly ensure no possibility of a DNS leak. You should have no firewall rules here since this is a new interface. If there are any rules, just delete them. We will again make them in "Reverse" order so that they should end up in the order that is neccesary.

The first is a "Block Everything rule, this MUST be at the very bottom of the list.

1.) Go to Firewall > Rules and select your "AirVPN LAN" interface.

Click the [+] on the right to "Add New Rule" and create a rule we will title "BLOCK ALL ELSE AirVPN_LAN"

Action = [ Block ]

Interface = [ AirVPN_LAN ]

TCP/IP Version = [ IPv4 ]

Protocol = [ Any ]

Source = [ Any ]

Destination = [ Any ]

Log packets that are handled by this rule = [√] (checked, enable this to be able to diagnose when you potentially block yourself )

Description = BLOCK ALL ELSE AirVPN_LAN

*** For this rule we will NOT set the advanced setting for gateway, it should be left as default. This will block connections to any and all gateways this interface tries to connect to that we have not explicitly allowed.

2.) Click [ SAVE ]

3.) Click [ Apply Changes ]

4.) The second is the rule that will force traffic from the AirVPN_LAN interface to only exit via the AirVPN_WAN interface. This rule should be second from the bottom, right above the Block All rule

Go to Firewall > Rules and Select your "AirVPN_LAN" interface.

Click the [+] on the right to "Add New Rule" and create a rule we will title "Allow AirVPN_LAN to any rule"

Action = [ Pass ]

Interface = [ AirVPN_LAN ]

TCP/IP Version = [ IPv4 ]

Protocol = [ Any ]

Source = [ AirVPN_LAN Subnet ]

Destination = [ Any ]

Description = Allow AirVPN_LAN to any

IMPORTANT STEP --> ADVANCED FEATURES  >  GATEWAY = AirVPN_WAN

5.) The third rule we will will block all DNS requests that we do not explicitly allow.

Go to Firewall > Rules and Select your "AirVPN_LAN" interface.

Click the [+] on the right to "Add New Rule" and create a rule we will title "BLOCK_DNS_LEAKS"

Action = [ Block ]

Interface = [ AirVPN_LAN ]

TCP/IP Version = [ IPv4 ]

Protocol = [ UDP ]

Source = [ Any ]

Destination = [ Any ]

Destination port range = [ DNS ] (Select from the drop down)

Log = [√] (checked

Description = BLOCK_DNS_LEAKS

*** For this rule we will NOT set the advanced setting for gateway

6.) Before we create our last rule, we must create an alias for our AirVPN DNS servers.

Go to Firewall > Aliases: IP (https://192.168.1.1/firewall_aliases.php?tab=ip)

Click the [+] to "Add a new Alias"

Name = AirVPN_DNS_Servers

Description = AirVPN_DNS_Servers

Type = Hosts

Under the "Hosts" section, using the [+] near the bottom create new entries and enter two or more of the following AirVPN DNS Servers: 10.4.0.1, 10.5.0.1, 10.6.0.1, 10.7.0.1, 10.8.0.1, 10.9.0.1, 10.30.0.1, 10.50.0.1

Click "Save"

5.) Go to Firewall > Rules and Select your "AirVPN_LAN" interface.

Click the [+] on the right to "Add New Rule" and create a rule we will title "ALLOW_AirVPN_DNS"

Action = Pass

Interface = AirVPN_LAN

TCP/IP Version = IPv4

Protocol = UDP

Source = Any

Destination = (Single host or Alias) AirVPN_DNS_Servers

Destination port range = DNS

Description = ALLOW_AirVPN_DNS

IMPORTANT STEP --> ADVANCED FEATURES > GATEWAY = AirVPN_WAN

The order of the rules we just created is important!

They should appear in this following order when viewed:

ALLOW_AirVPN_DNS

BLOCK_DNS_LEAKS

Allow AirVPN_LAN to any

BLOCK ALL ELSE AirVPN_LAN

#################################################################################

#################################################################################

The last thing we must do (unless I have forgot something, which I will just go back and edit if I have) is to properly set up our DNS Forwarder for our uses.

1.) Go to Services > DNS Forwarder  (https://192.168.1.1/services_dnsmasq.php)

2.) Find the section titled "Interfaces".

By default all interfaces are selected. Using the Ctrl key, select only the interface/s you wish to face your ISP, which for this tutorial, let's only select LAN and possibly Localhost  (Be aware if you do choose to highlight localhost that if you do a dns lookup within pfsense (for instance from the firewall logs) this may be a potential privacy leak as this will use the ISP facing DNS servers you set under System > General Setup > DNS Servers. For my uses since I am not a whistleblower and this is not critical, I choose to have localhost highlighted. Not highlighting only affects these lookups and is not critical to the functionality of your firewall. There are a number of websites that can do this for you once you are accessing through the vpn if you need it.)

2.) Under this there is a check box titled "Strict Interface Binding". Check this box to enable it,

3.) Click [ SAVE ]

4.) Click [ Apply Changes ]

#################################################################################

#################################################################################

#################################################################################

#################################################################################

That's it! You should be off and running with a basic setup for multiple NIC's. Remember our LAN interface faces the clear-net, and AirVPN_LAN will face the VPN. You can now add your fourth interface and set it up either exactly like the LAN, or exactly like the AirVPN_LAN.depending on how you intend to use it. Just give it an individual name and set the rules accordingly. Do not forget to disable the DNS forwarder for any additional interface.

I hope this works for you! Good luck, let me know if you need assistance.

thanks pfsense for the detailed info, I have copied and pasted my desktop nics details:

 

Connection-specific DNS Suffix: (xxxxxx)

Description: (xxxxxx) PCIe GBE Family Controller

Physical Address: ‎(xxxxxx)

DHCP Enabled: Yes

IPv4 Address: 192.168.(xxxxxx)

IPv4 Subnet Mask: 255.255.255.0

Lease Obtained: Sunday, January 26, 2014 1:41:23 PM

Lease Expires: Sunday, January 26, 2014 8:41:23 PM

IPv4 Default Gateway: 192.(xxxxxx)

IPv4 DHCP Server: 192.(xxxxxx)

IPv4 DNS Servers: 10.4.0.1, 10.5.0.1

IPv4 WINS Server:

NetBIOS over Tcpip Enabled: Yes

Link-local IPv6 Address: (xxxxxx)

IPv6 Default Gateway:

IPv6 DNS Server:

 

This is under windows 7 while internet is up and running where I have put xxxx I do have valid ips. I think I understand what you are suggesting to see what these details says when its working and not working ? Ill have a immediate look when its not working and see if an IP and or DNS servers are showing.

Excellent. Looking at that snapshot, might I suggest disabling IPv6 on that interface... and perhaps QoS, File and printer sharing (unless you actually share this from this computer), link layer topology discovery responder (lets other computers on your lan discover your computer) and netbios from the IPv4 Properties > General> Advanced > WINS. I suggest this because I assume you are not using features that use this on a computer connected to a VPN. Perhaps you are... but these things can always be reversed.

I will try that website you suggested when it is down I have actually tried airvpn main website and ip leak which never work when connection is down but not tried that 95.111.138.143 website although looks same. It works obviously after 5 minutes wait.

That website is the exact IP address of airvpn.org. This is the address a DNS would retrieve for your computer if you typed in the name "www.airdns.org". If We are directly accessing this because this does not require the use of a DNS. If you are able to access this during a down time it will verify where our problem is.

I think you are correct its an issue to do with DNS or perhaps DHCP, id rather think it was down to the DNS and openvpn entries under pfsense show net and air as green and up but websites not loading.... usually this is DNS entries gone wrong somewhere.

 

I thought I fixed it once when I tried adding air vpn 10.4.0.1 dns entries in my windows nic settings which suddenly connected straight away and web pages worked when the issue was there... but it only worked a few times most days its still the 5 minute wait so now I leave tcp/IPv4 IP/DNS entries to automatic get them.

Hopefully now your IP and DNS setting in windows are set to obtain addresses automatically. If pfSense is configured correctly these will be served to any device connected to a NIC directed to do so.

Then again I have stuck to what the pfsense guide showed me only... also added these extra DNS settings as shown here:

https://airvpn.org/topic/10222-how-to-prevent-dns-leaks-in-pfsense/

its routed to my airvpn gateway to prevent DNS leaks...guides done by the same guy and for that same pfsense guide

No offense meant to Knicker, he has been a great help to the community and his guide is appreciated by many, but I find it to be a bit incomplete as well as disagreeing with the methods in a few sections. This is one I disagree with. pfSense is not like Windows at all. Windows is designed to try to keep it's users connected by all means possible... for the lay person mostly. It will circumvent some rules to keep connected. pfSense on the other hand is based off freebsd. It is much more secure in that it will not do or allow anything that you do not explicitly tell it to do. No, for our uses and more correct would be to disable the DNS Forwarder on VPN interfaces and set the DNS servers on each NIC's DHCP Server page. This combined with checking the "Skip rules when gateway is down" box found at System > Advanced > Miscellaneous. From the description: "By default, when a rule has a specific gateway set, and this gateway is down, rule is created and traffic is sent to default gateway. This option overrides that behavior and the rule is not created when gateway is down", so by default we are/were telling pfSense to fall back to another Gateway. By checking this check box, which is correct for our uses, pfSense simply will not fail over a down VPN connection to another gateway. For the paranoid,  four firewall entries on a VPN facing NIC will both block all possible DNS leaks as well as guarantee the connection itself does not leak, even if someone tries. This is how I have mine set, and would like for you to try.

My pfsense build is an Acer mini itx pc with an an AMD A4-5000 1.5ghz cpu with intel 4 nic network card NC365 (only wan/lan currently) onboard nic is disabled in bios since pfsense dont support it just in case. 30gig SSD for pfsense with 4gig DDR3.

Fantastic! You have extra NIC's for us to use. This will help us as well as teach you how to use the extras. The guide I began to post in another thread will greatly help you. I am going to copy that post I made as well as add to it here so you can enable another interface. But first we have to undo your settings for your current LAN interface and set it correctly. I hope you will try this, I am just going to work on the tutorial right after posting this since I have the time tonight. Please start by following the step I posted above and checking that check box.

Hi pfsense thanks for getting back to me:

 

I am not sure about the assigned ip address, pfsense does give me a Wan (em0) my isp ip address, and lan (em1) is given a pfsense 192.168.1.1 which always works fine even if the internet is not working it still logs in to pfsense dashboard/web gui. And Airvpn (opt1) is assigned a address looks like one assigned from pfsense which starts with 10.x.x.x., not sure if that is what you mean ?

 

I am running DHCP on the desktop pc and same on pfsense, Air interface is IPv4 Configuration Type : none as per guide.

 

I checked the logs yesterday and again this morning and noticed the same 5 minute wait problem, so logged into pfsense while internet was down and checked under gateway and it showed as Wan_dhcp as green and online. Also Airvpn as green and online I got 2% loss on wan yet no ability to pull websites untill the 5 minute wait issue.

 

I have no issues logging into pfsense web gui screen and accessing it even when the internet is down, logging into the main pfsense dashboard shows all green up arrows on wan/lan/air.  I did note however under openvpn status it says AirVPN UDP down. But webpages still load after that 5 minute wait and it still reports as down even sometimes it says its up and webpages don't load untill the 5 minute wait of course...

 

Any ideas are still welcome at this point

What I am asking about the assigned IP is this: If you go to your network settings (I'll assume you are using Windows, so "Network and Sharing Center) on your computer, double click on your NIC, and select "Details", what information is provided. It is important we know what it says when it is malfunctioning. It may also be useful to have a snapshot from when it is working. You can highlight the text and use ctrl+c to copy the text.

As you can see from this snapshot, DHCP is enabled and pfSense has served me an IP adress. Further, pfSense has served me the correct DNS srvers as well. This is what it should look like when functioning.

Connection-specific DNS Suffix: XXXXXXXXXXX

Description: XXX PCIe GBE Controller

Physical Address: ‎XX-XX-XX-XX-XX-XX

DHCP Enabled: Yes

IPv4 Address: 192.168.XXX.XXX

IPv4 Subnet Mask: 255.255.255.0

Lease Obtained: Saturday, January 25, 2014 12:15:37 AM

Lease Expires: Sunday, January 26, 2014 1:15:45 PM

IPv4 Default Gateway: 192.168.XXX.1

IPv4 DHCP Server: 192.168.XXX.1

IPv4 DNS Servers: 10.4.0.1, 10.5.0.1

IPv4 WINS Server:

NetBIOS over Tcpip Enabled: No

From what you have noted about the gateway statuses, everything there seems to be OK there, which leaves us to seek out other issues. The connection is up so it is not pfSense, AirVPN or your ISP. I suspect it is an issue with the DHCP server and/or the DNS Forwarder, with an emphasis on the DNS Forwarder (This would explain why you CAN log into pfSense and yet have no internet access.. If this is the case, it should be easy to correct with a bit of troubleshooting. In the mean time, next time you have this 5 minute delay, can you please enter https://95.211.138.143/ into your web browser? It is the direct IP address for airvpn.org. If this loads, we know it is a DNS Forwarder issue.

I too was going to ask you about the advanced section. I do not think it has to do with your problem, but everyone should have a few entries there, at the very least to match the settings in the .OVPN files provided to us by AirVPN. Further then that, you can use this area to tweak settings towards your use once you become familiar with the options such as the "verb" setting. This setting controls how much info is shown in the logs. Default is 3, I use 4. The range is 1-5. Here is what I use, you may copy and paste this following string into yours if you wish:

ns-cert-type server; verb 4; tun-mtu 1500; mssfix 1400; explicit-exit-notify 5; mute-replay-warnings; mute 20;

But this brings me to another question, what hardware do you have pfSense installed on... what CPU are you using? I see you use intel NICs which is good. Any serious pfSense install should use intel NICs due to the support they have for BSD.

I hope we can sort you out soon, after I post this, I am going to install Untangle on a separate hard drive to evaluate it compared to pfSense for my needs. I likely need to switch to Untangle mostly for it's ability to filter ads.

refresh,

I have a few questions for you that may help me help you with this issue.

When you first come back from being away:

1.) Does your computer have an assigned IP address from pfSense?

2.) Are you able to log into pfSense? If yes, does Status > Gateways show a "online" connection to AirVPN or is it down? If you cannot log in what does the RRD Graph show for that time period? It will tell you if you have been disconnected or if the connection has remained.

Also, are you running DHCP or static IP on your computer?

Hi thanks for the confirmation, yes I have just this one major issue which only really occurs the following morning when I switch on the pc and attempt to connect to the net, it just takes few minutes before it jump starts once it gets going its 100% fine.

 

I have recently attempted to redo the pfsense guide but with just lan/wan (2 ports) and keep it as simple and 100% same as illustrated on the guide but still no joy during the following morning, inbetween that time like now it works flawless.

 

Yeah I agree it feels like wrong setting but very hard to track down when you followed the guide tick for tick and many times.

 

Do you leave your pfsense pc on 24/7 and it has no such issues the following morning?  Do you also use AirVPN dns 10.4.0.1/10.5.0.1 DNS settings ?

 

I do monitor the openvpn logs and yeah I see some errors time to time.. but nothing that has prevented it working during the day.

 

How do I go about checking packet loss ? thanks

Yes, I leave pfSense running 24/7... that is it's intended use. It is the firewall and router for my entire network and must be on at all times.

To monitor packet loss on the AirVPN gateway you must enter a monitoring IP. I simply use 10.4.0.1 and it works well enough.

Go to System > Routing

The Gateways tab is already selected, so go to your AirVPN gateway on the page and find and select [e] edit button on the right.

Find Monitor IP and enter your monitor IP of choice. 10.4.0.1 works.

You will now be able to monitor packet loss on that gateway both under Status > Gateways and Status > RRD Graphs > Quality

The RRD Graphs may give you some insight into why you are disconnecting.

No, they do not drop when not in use.

I do not have this issue. I have noticed you seem to have a number of issues with your setup. I do not have any of the issues you state. They are are not normal. I have not responded before because it is not the fault of pfSense or AirVPN. You either have an issue with your ISP, choice of equipment, or human error in your install.

Do you monitor your AirVPN gateway? What is the packet loss?

Unfortunatley what you told me so far is not working. Setting the IP in the firewall via alias above the VPN Rule by itself does not work ;-(. There is another step somehwere we are overlooking. I would really appreciate it if you could take a look at your connections and configuration and figure out that needed step for us. I've been trying and trying ot no avail. Searching different forums.... It's driving me absolutely crazy. If you could figure it out I would look west and prey NickSpam everday for the rest of my life hahah.

It sounds to me the missing step for what you are trying to do may be setting an outbound NAT rule for that individual static IP that also designates the correct gateway. That rule has to be above the other outbound NAT rules for that interface or it will route it through the gateway that is default for that NIC first, negating the firewall rule. You would also likely have to assign DNS to the static ip under SERVICES > DHCP SERVER.

Other than that, I disagree with this method as you have multiple NIC's. Each NIC should be either only for VPN or only for clear-net. Not that it cannot be done, but you have other NIC's and it is safer to isolate them. You can have VOIP, Gaming all on the original LAN from pfSense install facing clear net. Another NIC can be only VPN. A third NIC or more can be set for only VPN or only clear-net... it's up to you. But why mix gateways on one interface when you have multiple? I have given you the basics of how to set interfaces for a specific gateway. I will help if you wish to set it up for Single gateway per NIC. Soon I will have a tutorial as well.

This is all assuming you have followed the other steps in the guide posted here to set up your interfaces, outbound NAT and advanced firewall routing rules to force traffic over the gateway it is intended for. My appologies if this does not help due to not covering enough steps. I have planned to make a full tutorial for those of us with multiple NIC's that is bulletproof as far as leaks. I have tested it for months and it works. I will post the tutorial as soon as I can find the time.

First off great tutorial. Works great. I had a more advanced questions I hope you can help me with.

 

I run a home office from my house as well as about 5 computers on the network. I also have on my network a VOIP box that allows me to use Google Voice to call, and fax from. However when connected to the VPN faxing often doesn't work and kicks out. When the VPN is off faxing is fine. 

 

I have 3 NIC's on my pfsense box. One is for the WAN, the other is for the Lan which connects to a wireless AP SWITCH which feeds the rest of the computers and the box for VOIP. The 3rd NIC is not used,  

 

 

So my questions is: Is there a way that I can set the one LAN to tunnel through the VPN and the other LAN to connect as usual as if no VPN is on? I am not sure if this is possible. But it would be great if it can.

 

 

Just for more information my setup is as follows.   CABLE MODEM>PFSENSE WAN (NIC1)>LAN (AIRVPN TUNNEL)(NIC2)>GIGABIT WIRELESS AP/SWITCH>Computers/VOIP BOX.

                                 

                              What I would like If possible:  CABLE MODEM>PFSENSE WAN (NIC1)>LAN (AIRVPN TUNNEL)(NIC2)>GIGABIT WIRELESS AP/SWITCH>COMPUTERS

                                                                                                                               >LAN (NO VPN TUNNEL)(NIC3)>VOIP BOX FOR PHONE AND FAX

 

Any help would be appreciated. Thank you in advance! 

 

Best Regards,

JetFn1

JetFn1,

The issue you are having is due to the guide you followed not being entirely accurate for those of us using multiple network interface cards. I have 8 NIC's which I will not explain fully in this post. I have my reasons but mainly I needed a NIC and subnet just for VOIP, an NIC and subnet just for XBOX traffic, an NIC and subnet just for ISP facing trafic, and multiple NIC's and subnets that are routed over the VPN. This facilitates much more managable firewall rules pages for each type of traffic and reduces the chance of human error. It also makes it much easier to monitor traffic when it is seperated by interface. Anyway, moving on.

First of all, being that you want one NIC to face your ISP and another to face AirVPN, you do not need to follow the steps of switching the gateway of the initail "LAN" interface that is created during pfSense install. It is more trouble than it is worth renaming and editing certain characteristics of that interface, and is also uneccesary for us. Let that just be and focus on setting up the secondary NIC (which we will call AirVPN_LAN) to face airvpn by setting the advanced firewall rules to route the traffic over the AirVPN_WAN (or whatever you have named it) gateway. After this, we need to properly set up the DNS forwarder to not blindly forward the DNS servers to all NIC's, then properly set the DNS for the AirVPN_LAN.

Setting it this way allows you to use the DNS servers of your choice (entered where you now currently have the AirVPN DNS servers under System > General Setup > DNS Servers) for *NON* VPN traffic and network interface cards. For your uses these will be used by your LAN. I choose to use my ISP's DNS here because for gaming the latency is important. You may choose OpenDNS or any other public DNS as well here, but not the AirVPN DNS servers because as you have noticed you must be connected for those to function. We will then manually set the AirVPN_LAN interface to use only the AirVPN DNS Servers under the DHCP Server settings page. I will stess this again, DNS servers set under System > General Setup > DNS Servers) are ONLY for *NON* VPN traffic and network interface cards. To use the AirVPN DNS servers on the proper interface/s there are extra steps involved.

Here is how I have mine set up:

1.) Go to Services > DNS Forwarder, then find the section titled "Interfaces".

By default all interfaces are selected. Using the Ctrl key, select only the interface/s you wish to face your ISP, and possibly localhost. (Be aware if you do choose to highlight localhost that if you do a dns lookup within pfsense (for instance from the firewall logs) this may be a potential privacy leak as this will use the ISP facing DNS servers you set under System > General Setup > DNS Servers. For my uses since I am not a whistleblower and this is not critical, I choose to have localhost highlighted. Not highlighting only affects these lookups and is not critical to the functionality of your firewall. There are a number of websites that can do this for you once you are accessing through the vpn if you need it.)

2.) Under this there is a check box titled "Strict Interface Binding". Check this box to enable it, then click "Save"

3.) Go to Services > DHCP server and select the tab for your "AirVPN_LAN"

Find the section here titled "DNS Servers" and enter your AirVPN DNS server/s here (10.4.0.1 etc.) then click "Save"

At this point pfSense will not serve the incorrect DNS servers anywhere, but we will go one step further and create firewall rules to block any potential DNS leaks by a program that seeks another DNS server on its own. This is in a sense redundant because if you have the advanced firewal rules set for the correct gateway, these requests would be funnled through the VPN anyway, but I still use them anyway since nothing should be attempting to use any other DNS, and these rules will block any such attempt.

4.) Go to Firewall > Aliases

Click the [+] to "Add a new Alias"

Name = AirVPN_DNS_Servers

Description = AirVPN_DNS_Servers

Type = Hosts

Under the "Hosts" section, using the [+] near the bottom create new entries and enter two or more of the following AirVPN DNS Servers: 10.4.0.1, 10.5.0.1, 10.6.0.1, 10.7.0.1, 10.8.0.1, 10.9.0.1, 10.30.0.1, 10.50.0.1

Click "Save"

5.) Go to Firewall > Rules and Select your "AirVPN_LAN" interface.

Click the [+] on the right to "Add New Rule" and create a rule we will title "ALLOW_AirVPN_DNS"

Action = Pass

Interface = AirVPN_LAN

TCP/IP Version = IPv4

Protocol = UDP

Source = Any

Destination = (Single host or Alias) AirVPN_DNS_Servers

Destination port range = DNS

Description = ALLOW_AirVPN_DNS

IMPORTANT STEP --> ADVANCED FEATURES > GATEWAY = AirVPN_WAN (or whatever you have named your AirVPN Gateway, it will appear in the drop down)

6.) Go to Firewall > Rules and Select your "AirVPN_LAN" interface.

Click the [+] on the right to "Add New Rule" and create a rule we will title "BLOCK_DNS_LEAKS"

Action = Block

Interface = AirVPN_LAN

TCP/IP Version = IPv4

Protocol = UDP

Source = Any

Destination = Any

Destination port range = DNS

Log = Checked (this will alert you in your firewall logs if something does attempt to use alternate DNS)

Description = BLOCK_DNS_LEAKS

*** For this rule we will NOT set the advanced setting for gateway

7.) Go to Firewall > Rules > AirVPN_LAN

The order of the rules we just created is important!

These rules should be near the top of your firewall rules list for this interface. Ideally the only rule above them sould be a GUI lockout rule, if you have one. Further then this, the "Allow" rule MUST BE ON TOP of the "Block" rule. You can select the rules check boxes and re-orgasnize them accordingly.

That's it, you should be set to go. You can verify it is functioning correctly by going to any number of DNS leak test sites on anything connected to the VPN connected NIC.

http://www.dnsleaktest.com/

https://www.grc.com/dns/dns.htm