Proper way to run PFSense, Pi-hole, ExpressVPN as client

Hello, looking for a little assistance if possible.

What I want to happen is to have Pi-Hole filter my local traffic and then send it out via ExpressVPN (as client) which is installed within PFSense.

Here’s my setup. I have ATT gateway set to passthrough, PFSense (handling DHCP and DNS Resolver), Pi-Hole (PFSense is set as upstream server), Unifi 16port Lite POE switch, and Unifi Wifi 6 Lite. I have admin devices on default VLAN, and four other VLANS. As it’s working now, devices on the default VLAN are assigned the VPN public IP and filters through Pi-Hole, but fails DNS leak tests. All other VLANS are running through the VPN 100% bypassing the Pi-Hole.

So that’s where it stands now. I’d love to filter all my traffic through Pi-hole first before it goes out over the VPN.

Can you not just set pihole as the only dns? The vpn routing is independent of that if I am not mistaken.

If you are using the pi hole for DNS then you also need to make sure all traffic from the pi hole passes through the VPN

Previously when I had two routers (ISP and VPN) I achieved this, it’s been a while and I didn’t write it down. But I might have set the pihole DNS to my VPN providers DNS, devices on the network used the router as the DNS, the router then pointed to the pihole.

However, if you use pfblocker you can use the same lists as pihole and apply this to your interfaces. You lose the pretty chart but you save on electricity plus you can add other block lists.

Before using pfBlocker, I was using pi-hole and had it as simply another client on my network. It pointed to pfSense for its upstream DNS. The benefit was the host names would show properly within the pi-hole logs. I set-up DHCP to have the clients look to the pi-hole’s IP address for their DNS lookups. It worked well. It sounds like that is how you have it? I wonder if you have something else going on with regard to the DNS leaks? Setting pi-hole to point to the VPN’s DNS would be my next thing I’d try.

One problem I have is that ExpressVPN doesn’t give any specific DNS servers to point to.

I do use the IP block portion of pfblocker, and I tried out the DNSBL, but I still prefer Pihole partially because it’s what I’m used to and the ease of reading the stats.

I use AirVPN you can read their blurb on DNS here scroll down to dns

I’m not super clear on this, but I believe your tunnel has to be up before you invoke the DNS to prevent a dns leak, don’t think that is possible unless you use an IP address to connect to their VPN servers. You ought to be able to use any DNS after the tunnel is up.

I use online DNSleak tests to test my setup it all looks good.

I manually entered the pihole lists into pfblocker. Worked well and updated just like the other lists.