Messages

Glad to hear it working great for you. I also find it worth using a known good speedtest server.

I saw you have a script for PIA, curious if you were able to get port forwarding working using the new kernel mod with PIA, and if so how? :)

Port forwarding works and its mentioned at the bottom of my Scripts README  :)

Glad to hear it working great for you. I also find it worth using a known good speedtest server.

I usually try and use http://ovh.net as I know all their test locations are 10gbit connections, if speedtest.net is looking to give odd/varying results.

Could be 20.7.6, I wasn't monitoring IPv6...

I'm running 21.1.5 currently and still not working. Funnily enough I too are getting the issue at OVH.

leifnel, do you have a backup of your firewall when you was running 20.7.5? or have you already reverted back?

Yeah I see that side of it too.

Might be worth adding a note or something to the docs instead, if this is the preferred route, since you say its working but not as expected.

Thanks for the clarification, so you would recommend upping the iplen from 52 to 100?

Ah, so it looks like only the new iplen was added, instead of/as well as amending the protocol "tcp (ACK packets only)".

Shame it wasn't both 🤭

I've added iplen of 52 and looks much better now, although without the research makes it look like the option is broken..

Thoughts?

Where did we get too with this? just getting iplen on the rule to overcome the problem?

It could be the way I have it set up, it is fed from a wifi/router combo (I don't have access to configure it)

It's kinda weird because before I had a PFsense box going and had no issues.

does pfsense do forwarding by default though? 🤔

I'm not sure personally, maybe your ISP is not letting you get too ROOT DNS servers

https://www.iana.org/domains/root/servers

Hey,

Have you tried changing the DNS mode of unbound to do forwarding to say Cloudflare or Quad9?

By default unbound works as a recursive DNS server, but changing it to forwarding, is common thing people do.

Quick test to see if that's the issue is to override DNS on the client machine, to see if the internet start functionating correct, if it does then unbound is the issue.

Yes, pTables does have IP resolved for FQDN I had set

Screenshot us your rule then, cause it sounds like it should be working.

Ah ok :-)

Go to "Firewall: Diagnostics: pfTables" and select your alias from the drop down, is it populated with the IPs you expect?

I'm only using YouTube.com as an example .... the destinations I'm trying to force thru VPN are simple websites that resolve to a single IP.

I was able to setup rules easily on my old Asus router (via AsusWrt-Merlin firmware).

So I'm hoping that achieving same thing with OPNSesne should be doable.

Oh then if they're simple websites, this is very doable.

Have you made sure your SitesToVPn rule is above your rule that allows traffic to the internet?
Also you need to make sure the Outbound NAT rule is there.

I created a hosts alias for both group of PCs (PC1, PC2, & PC3), and another host alias for destinations that should be routed via VPN (e.g. UseVPN alias has YouTube.com, Amazon.com, google.com).

I setup rule same as listed in main post, but instead of !RFC, I have UseVPN as destination... but this is not working. All traffic continues to go out WAN interface. But works fine when I revert back to !RFC

because your only looking at the hosts in the main URL of the webpage, when you load youtube.com you make many other requests to domains other than youtube.com

If you press F12 on a blank tab, click the network tab on the newly popped up window. Then browse to youtube, you will see other domains other than youtube.com being loaded. For example "i.ytimg.com".
Trying to VPN certain websites via their base url domain, isn't always possible, when they use a CDN or a CDN of their own, because usually many other domains get used.

One way around it is to VPN the IP blocks that YouTube uses, but even this isn't always a fool proof way.
So you could get an IP for youtube.com which for me is "216.58.210.206", then lookup what ASN the IP is apart of which is AS15169, then get all the IPs owned by this ASN number. Which is a lot of ranges, because its Google's ASN, so any traffic going to Google, in these ranges would get VPN'd.

https://traceroute-online.com/ip-asn-lookup/

What your trying to do if not easy...

Ah I gotcha, good use of a container to put pi hole in it.

Hmm have you misconfigured your gateway or something on the containers? Can the containers ping OPNsense?

Some people say your better off not restoring PFsense to OPNsense, as it can cause off issues but I think that's mainly for complex setups.

Yeah I have a IOT Network so I get the point of that requirement.

That guide looks fine, more or less how I would go about it, pretty much.

I can TeamViewer your machine if you want me to see the setup with my own eyes, if not can keep chatting here  :)

Hi,

That default deny rule in the floating rules, will get caught by any interface, so no you don't need to create any end deny rules in your interface rules.

How do you want DNS configured in forwarding mode to like 1.1.1.1 or 8.8.8.8 or in recursive DNS mode?
In that guide he's using the two DNS services on different networks, do you really need that complexity? You can just send all your DNS traffic to SurfsharkVPN's DNS server via the DNS servers in the DHCP settings, if you want VPN'd clients to use the VPN connection, or you can use NAT rules to NAT any traffic going to port 53 and redirect them over the tunnel to surfsharkvpn, many ways to do this one.
Personally I use DNSoverTLS and send all DNS requests using that, to stop ISP snooping it.

As for the networking issue in your containers, that sounds like an issue with your setup, if VMs get an IP than something else is a miss with your containers.