Re: [pfSense] DNS configurazione under VPN

2018-05-13 Thread Chris L

> On May 13, 2018, at 11:39 AM, WebDawg  wrote:
> 
> "In any case, if you configure your DNS Resolver to use the LAN
> interface as outgoing interface, the DNS Resolver should use the same
> routing than your computer, VPN or not."
> 
> Can anyone confirm that this is true?  I never tested it, but it would
> be nice to get a confirm.  I had an issue, similar to what Antonio is
> trying to do, that required something like this in the past.

No. Unfortunately it is not true.

Traffic originating from the firewall itself is never policy routed.

In that case it is sourced from LAN address but it never actually arrives into 
LAN and is therefore not policy routed according to the rules there.

That configuration will, however, make that traffic interesting to IPsec as 
long as the source address and the DNS server are contained in a traffic 
selector (phase 2). It can also be routed across OpenVPN according to the 
routing table to a server on the other side of the VPN and, thanks to the LAN 
source address, the other side might be able to route back.

dnsmasq (the DNS forwarder) can be a little more flexible here since you can 
select a different source address for each domain override.

Really though, the best solution for policy routing DNS (and LDAP and RADIUS, 
etc) traffic is to tell the clients to use server(s) on the inside network 
(external to the firewall). That way any resolution queries that server has to 
do can be policy routed however you want just like any other traffic into LAN.
> 

> Also, are not the firewall rules ingress only, what would be the
> relationship between the DNS resolver being on an ingress interface
> instead of egrees?  How does it 'set it self up' on this interface?
> 
> On Mon, May 7, 2018 at 4:36 AM, Stephane Bouvard  wrote:
>> Hi,
>> 
>> Try this :
>> 
>> - Create a gateway group (System / Routing / Gateway Groups) with VPN
>> Gateway as Tier 1 and WAN Gateway as Tier 2
>> 
>> - Use this gateway group as outgoing gateway (in my config, i use a LAN
>> Firewall rule with the created gateway group, and i use LAN as outgoing
>> interface for my DNS Resolver).
>> 
>> In any case, if you configure your DNS Resolver to use the LAN interface as
>> outgoing interface, the DNS Resolver should use the same routing than your
>> computer, VPN or not.
>> 
>> 
>> 
>> 
>> Le 07-05-18 à 01:09, Antonio a écrit :
>>> 
>>> After messing around for much of the weekend and reading a bit here and
>>> there I have made one small step to achieving my goal. Basically, I am
>>> able to bound the DNS Resolver to the VPN interface by selecting it
>>> under "Outgoing Network Interfaces". This all traffic goes through the
>>> VPN tunnel, including DNS queries. Infact, when I go on dnsleaktest.com,
>>> I do not have any leaks and this is very positive.
>>> 
>>> The only problem is that when the VPN link fails, then I cannot resolve
>>> DNS queries anymore on my LAN devices. So, what I need to do now, is
>>> understand how I can achieve this automatically, i.e. when the VPN link
>>> comes up, it tells the DNS Resolver to route through the VPN tunnel;
>>> when the VPN link is down, it tells the DNS Resolver to route the DBS
>>> queries through the LAN interface. Any suggestions?
>> 
>> --
>> Bien à vous...
>> 
>> _  Envie de vous concentrer sur votre coeur de métier ?
>> (_'Nous gérons et surveillons vos serveurs pour vous
>> ,_)téphane Bouvard   http://www.myown.eu
>> 
>> ___
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] DNS configurazione under VPN

2018-05-13 Thread WebDawg
"In any case, if you configure your DNS Resolver to use the LAN
interface as outgoing interface, the DNS Resolver should use the same
routing than your computer, VPN or not."

Can anyone confirm that this is true?  I never tested it, but it would
be nice to get a confirm.  I had an issue, similar to what Antonio is
trying to do, that required something like this in the past.

Also, are not the firewall rules ingress only, what would be the
relationship between the DNS resolver being on an ingress interface
instead of egrees?  How does it 'set it self up' on this interface?

On Mon, May 7, 2018 at 4:36 AM, Stephane Bouvard  wrote:
> Hi,
>
> Try this :
>
> - Create a gateway group (System / Routing / Gateway Groups) with VPN
> Gateway as Tier 1 and WAN Gateway as Tier 2
>
> - Use this gateway group as outgoing gateway (in my config, i use a LAN
> Firewall rule with the created gateway group, and i use LAN as outgoing
> interface for my DNS Resolver).
>
> In any case, if you configure your DNS Resolver to use the LAN interface as
> outgoing interface, the DNS Resolver should use the same routing than your
> computer, VPN or not.
>
>
>
>
> Le 07-05-18 à 01:09, Antonio a écrit :
>>
>> After messing around for much of the weekend and reading a bit here and
>> there I have made one small step to achieving my goal. Basically, I am
>> able to bound the DNS Resolver to the VPN interface by selecting it
>> under "Outgoing Network Interfaces". This all traffic goes through the
>> VPN tunnel, including DNS queries. Infact, when I go on dnsleaktest.com,
>> I do not have any leaks and this is very positive.
>>
>> The only problem is that when the VPN link fails, then I cannot resolve
>> DNS queries anymore on my LAN devices. So, what I need to do now, is
>> understand how I can achieve this automatically, i.e. when the VPN link
>> comes up, it tells the DNS Resolver to route through the VPN tunnel;
>> when the VPN link is down, it tells the DNS Resolver to route the DBS
>> queries through the LAN interface. Any suggestions?
>
> --
> Bien à vous...
>
>  _  Envie de vous concentrer sur votre coeur de métier ?
> (_'Nous gérons et surveillons vos serveurs pour vous
> ,_)téphane Bouvard   http://www.myown.eu
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] DNS configurazione under VPN

2018-05-07 Thread Stephane Bouvard

Hi,

Try this :

- Create a gateway group (System / Routing / Gateway Groups) with VPN 
Gateway as Tier 1 and WAN Gateway as Tier 2


- Use this gateway group as outgoing gateway (in my config, i use a LAN 
Firewall rule with the created gateway group, and i use LAN as outgoing 
interface for my DNS Resolver).


In any case, if you configure your DNS Resolver to use the LAN interface 
as outgoing interface, the DNS Resolver should use the same routing than 
your computer, VPN or not.





Le 07-05-18 à 01:09, Antonio a écrit :

After messing around for much of the weekend and reading a bit here and
there I have made one small step to achieving my goal. Basically, I am
able to bound the DNS Resolver to the VPN interface by selecting it
under "Outgoing Network Interfaces". This all traffic goes through the
VPN tunnel, including DNS queries. Infact, when I go on dnsleaktest.com,
I do not have any leaks and this is very positive.

The only problem is that when the VPN link fails, then I cannot resolve
DNS queries anymore on my LAN devices. So, what I need to do now, is
understand how I can achieve this automatically, i.e. when the VPN link
comes up, it tells the DNS Resolver to route through the VPN tunnel;
when the VPN link is down, it tells the DNS Resolver to route the DBS
queries through the LAN interface. Any suggestions?

--
Bien à vous...

 _  Envie de vous concentrer sur votre coeur de métier ?
(_'Nous gérons et surveillons vos serveurs pour vous
,_)téphane Bouvard   http://www.myown.eu
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] DNS configurazione under VPN

2018-05-06 Thread Antonio
After messing around for much of the weekend and reading a bit here and
there I have made one small step to achieving my goal. Basically, I am
able to bound the DNS Resolver to the VPN interface by selecting it
under "Outgoing Network Interfaces". This all traffic goes through the
VPN tunnel, including DNS queries. Infact, when I go on dnsleaktest.com,
I do not have any leaks and this is very positive.

The only problem is that when the VPN link fails, then I cannot resolve
DNS queries anymore on my LAN devices. So, what I need to do now, is
understand how I can achieve this automatically, i.e. when the VPN link
comes up, it tells the DNS Resolver to route through the VPN tunnel;
when the VPN link is down, it tells the DNS Resolver to route the DBS
queries through the LAN interface. Any suggestions?

Thanks

Respect your privacy and that of others, don't give your data to big 
corporations.
Use alternatives like Signal (https://whispersystems.org/) for your messaging 
or 
Diaspora* (https://joindiaspora.com/) for your social networking.

Il 03/05/2018 20:29, Antonio ha scritto:
> Hi folks,
>
> I'm trying to understand why I get DNS leaks. I am connecting to VPN
> italian server from UK and when I go to www.dnsleaktest.com, the main
> page says I'm connecting from Italy but then, when I do the advanced or
> standard tests, these say I'm located in the UK.
>
> I have:
>
> 2.4.3-RELEASE (amd64)
> built on Mon Mar 26 18:02:04 CDT 2018
> FreeBSD 11.1-RELEASE-p7
>
> Installed on a mini PC that is connected via WAN on a DLS modem (setup
> in pass through mode, not router mode). pfSense is acting as a DNS
> Resolver even though I have have OpenDNS set in the GENERAL tab (I
> believe these are not being used because I'm connected via DNS
> Resolver). Would it be best to configure pfSense as DNS FOrwarder?
> ALthough I'm not sure that this is going to resolve my DNS leak problem.
> All clients are confirgured with a DNS set to the IP of the pfSEnse
> machine. Any suggestions on what is the best way to configure DNS on
> pfSense where occasionally I fire up my OpenVPN connection?
>
> Many thanks
>

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] DNS configurazione under VPN

2018-05-04 Thread Steve Yates
I'm not sure I understand how a web page can tell where DNS responses 
to the OS are coming from, but I suspect what you may want is the DNS Resolver 
checkbox for "Enable Forwarding Mode" which will force pfSense to forward the 
query on, rather than try to resolve the query against the root servers.  Then 
it would use your OpenDNS servers, and where those servers are is up to 
OpenDNS.  I assume they're big enough to have them worldwide...?

--

Steve Yates
ITS, Inc.

-Original Message-
From: List <list-boun...@lists.pfsense.org> On Behalf Of Antonio
Sent: Thursday, May 3, 2018 2:29 PM
To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
Subject: [pfSense] DNS configurazione under VPN

Hi folks,

I'm trying to understand why I get DNS leaks. I am connecting to VPN
italian server from UK and when I go to www.dnsleaktest.com, the main
page says I'm connecting from Italy but then, when I do the advanced or
standard tests, these say I'm located in the UK.

I have:

2.4.3-RELEASE (amd64)
built on Mon Mar 26 18:02:04 CDT 2018
FreeBSD 11.1-RELEASE-p7

Installed on a mini PC that is connected via WAN on a DLS modem (setup
in pass through mode, not router mode). pfSense is acting as a DNS
Resolver even though I have have OpenDNS set in the GENERAL tab (I
believe these are not being used because I'm connected via DNS
Resolver). Would it be best to configure pfSense as DNS FOrwarder?
ALthough I'm not sure that this is going to resolve my DNS leak problem.
All clients are confirgured with a DNS set to the IP of the pfSEnse
machine. Any suggestions on what is the best way to configure DNS on
pfSense where occasionally I fire up my OpenVPN connection?

Many thanks

-- 


Respect your privacy and that of others, don't give your data to big 
corporations.
Use alternatives like Signal (https://whispersystems.org/) for your messaging 
or 
Diaspora* (https://joindiaspora.com/) for your social networking.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


[pfSense] DNS configurazione under VPN

2018-05-03 Thread Antonio
Hi folks,

I'm trying to understand why I get DNS leaks. I am connecting to VPN
italian server from UK and when I go to www.dnsleaktest.com, the main
page says I'm connecting from Italy but then, when I do the advanced or
standard tests, these say I'm located in the UK.

I have:

2.4.3-RELEASE (amd64)
built on Mon Mar 26 18:02:04 CDT 2018
FreeBSD 11.1-RELEASE-p7

Installed on a mini PC that is connected via WAN on a DLS modem (setup
in pass through mode, not router mode). pfSense is acting as a DNS
Resolver even though I have have OpenDNS set in the GENERAL tab (I
believe these are not being used because I'm connected via DNS
Resolver). Would it be best to configure pfSense as DNS FOrwarder?
ALthough I'm not sure that this is going to resolve my DNS leak problem.
All clients are confirgured with a DNS set to the IP of the pfSEnse
machine. Any suggestions on what is the best way to configure DNS on
pfSense where occasionally I fire up my OpenVPN connection?

Many thanks

-- 


Respect your privacy and that of others, don't give your data to big 
corporations.
Use alternatives like Signal (https://whispersystems.org/) for your messaging 
or 
Diaspora* (https://joindiaspora.com/) for your social networking.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold