Pfsense PIA issue DNS leak

Hi everyone!

I’ve just started messing around in pfsense. One of the first things I wanted to do was route part of my network trough PIA, part trough my ISP. I’m running the latest 2.5.2.

When I uncheck “Don’t pull routes” everything works fine (apart from the fact I can’t route some host’s trough my ISP), no DNS leaks. Even the killswitch (with the floating block rule) works fine

But when I check “Don’t pull routes” sometimes I see my ISP ip, sometimes my PIA ip. Whenever I do an DNS leak test I can see my ISP ip.

Does anyone have an idea what I’m missing? thanks!

On your PIA_TRAFFIC rule, tag all traffic with “NOWAN”. Then create a Floating Rule that blocks your ISP Gateway for all packets tagged with "NOWAN.

How is your DNS setup generally?

the floating rule works just fine when “Don’t pull routes” is checked, that isn’t the issue. The problem starts when i uncheck “Don’t pull routes”, because i want to partially route the network trough PIA.

My DNS is set up like this;
-Servers and
-DNS override is unchecked
-Resolution behavior is set Use local DNS, fall back to remote servers

Hello - I have used PIA in the past. This is what worked for me.

  1. Another option instead of tagging is to identify HOSTs to route to the VPN with an Alias eg ROUTE_TO_VPN and place that alias in the SOURCE field of your allow rule above rather than the Duplicate your allow rule just below the first rule BUT CHANGE it to a BLOCK. This in effect becomes your ‘kill switch’ - no Floating rule in this case. If the VPN connection goes down, the Block rule will stop outgoing traffic for ROUTE_TO_VPN. This does work.

  2. I don’t know your use case for the VPN - but IF you are not using PIAs DNS server ( you are leaking your DNS queries to Quad 9 - partially defeating the purpose for using the VPN. The easiest way to insure DNS queries go to their server is to create a Port Forwarding Rule (Firewall | NAT | Port Forward) that routes ALL DNS queries to PIAs DNS Server. To create rule select your interface: LANx Protocol TCP/UDP Source ROUTE_TO_VPN, Dest Addr *, Dest Ports 53, NAT IP This will automatically add a rule to the LAN firewall rules for you. Then test your DNS queries with to verify that you are using PIA DNS.

  3. I did have “Don’t pull” checked.

Ok, I think i fixed it. I followed Tom’s 2017 guide (Setting up PIA VPN on pfSense for your whole network and Configuring Selective Routing) in which all traffic gets routed trough the PIA VPN except for certain rules. Here “don’t pull routes” is disabled.

Initially i followed the 2019 guide (pfsense OpenVPN Policy Routing With Kill Switch Using PIA / Private Internet Access) in which all traffic routes trough the WAN except for certain PIA rules. Here “don’t pull routes” is enabled.

The only side effect now is when i go to, it shows my private IP, and when i run the DNS test it still shows the VPN’s IP. Is that a security risk? Could it cause problems with for example netflix?

That sounds right.

If only “some” of your traffic is going out your VPN then the rest is going out your ISP.

Personally I find it too hard to know for sure if my traffic is going out the VPN or ISP in your kind of setup. Using vlans and routing all the traffic through the VPN with a killswitch means you don’t have to think about it, once setup.

To be certain, it would easier to have a VPN client on your devices in your scenario. Then you can just turn it on or off.

I have the same problem with DNS leak, propably i havent set up PIA’S DNS. Can you please uppload some pics so i can easy setup the DNS in a correct way, thanks

I followed this guide, and excluded the lan IP’s which i didn’t want to use the PIA vpn.

So, set up VPN, make sure “don’t pull routes” is disabled. Now eveything is using the PIA PVN, and no DNS leaks.
If you want devises not to use the VPN route, add them to Aliases and exclude the aliases in the rules. Note that the devices will show your private IP but with the PIA DNS