Hi all. I have configured my pfSense firewall to intercept and redirect DNS as per @neogrid’s guide. My VLAN numbers are different, and I have two VLANs that need to go out in the clear instead of one. But essentially the same. I have a main and failover wan, so there’s a gateway group for that. And I setup 3 AirVPN clients in a load balance gateway group.
The DNS routing works as expected for DNS traffic that is already pointed to the firewall (ie the device us trying to use the firewall as its DNS server) as evienced by dns leak test. The VLAN with AirVPN as a wan resolves through AirVPN. And the VLANS in the clear resolve through Quad9 as set in settings > general.
But, if a device has a manually set DNS, like someone punched in 220.127.116.11 on their NIC or their phone’s wifi config, that is not getting intercepted by the NAT port forwarding rules and processed on the firewall. It is flying right through to google according to dns leak test. I have been through the configuration 100 times and nothing is set wrong. I’ve seen a few other posts from people having similar problems and I’m not seeing a solution. TBH I don’t see how it’s even possible with the rules. How is anything getting past on port 53 with those port forwards in place??
Since I’m a new user, I can’t post my screenshots all here so sorry for the replies with one at a time.