Solution for pfSense and VPN client gateway randomness

  • SpinRite v6.1 Release #3
    The 3rd release of SpinRite v6.1 is published and may be obtained by all SpinRite v6.0 owners at the SpinRite v6.1 Pre-Release page. (SpinRite will shortly be officially updated to v6.1 so this page will be renamed.) The primary new feature, and the reason for this release, was the discovery of memory problems in some systems that were affecting SpinRite's operation. So SpinRite now incorporates a built-in test of the system's memory. For the full story, please see this page in the "Pre-Release Announcements & Feedback" forum.
  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in please checkout the “Tips & Tricks” page for some very handy tips!

  • BootAble – FreeDOS boot testing freeware

    To obtain direct, low-level access to a system's mass storage drives, SpinRite runs under a GRC-customized version of FreeDOS which has been modified to add compatibility with all file systems. In order to run SpinRite it must first be possible to boot FreeDOS.

    GRC's “BootAble” freeware allows anyone to easily create BIOS-bootable media in order to workout and confirm the details of getting a machine to boot FreeDOS through a BIOS. Once the means of doing that has been determined, the media created by SpinRite can be booted and run in the same way.

    The participants here, who have taken the time to share their knowledge and experience, their successes and some frustrations with booting their computers into FreeDOS, have created a valuable knowledgebase which will benefit everyone who follows.

    You may click on the image to the right to obtain your own copy of BootAble. Then use the knowledge and experience documented here to boot your computer(s) into FreeDOS. And please do not hesitate to ask questions – nowhere else can better answers be found.

    (You may permanently close this reminder with the 'X' in the upper right.)


Well-known member
Jul 19, 2021
I had an idea for configuring pfSense with VPN providers (I am using NordVPN and ExpressVPN). As most VPN providers let you connect multiple devices, I have my pfSense router configured for four client connections to NordVPN and four client connections ExpressVPN. I then give each its own gateway so I have eight VPN gateways, then I add all of them to a tier 1 gateway group which is what I assigned most all of my device to as a gateway in the firewall settings. The effect is that my traffic jump around to eight random VPN endpoints to the internet using two VPN providers. I seems to work, although I noticed to YouTube and other ad sites some times will show ads for any of the eight random countries, some times (not often) sites pop up in the wrong language, but I tend to use the same sites and don’t go out far on the internet, so I don’t have any problems. I also know as a developer HTTP has a language header, but my guess is that most sites don’t utilize it. I was wondering what you folks think of this solution? Including Steve. I also don’t remember Steve weighing in on ISPs spying and reselling data, but Leo talks about that in the ExpressVPN ads.
That is an interesting idea for hoping around somewhat randomly.

Possibly of interest to you - another option with some providers like Mullvad (a Steve favorite that doesn't advertise) that provide socks5 proxies you can use over the VPN which allow you to have 1 VPN connection maintained by pfsense but have traffic route out via endpoints all over the world depending on the socks server used. (with pfsense and mullvad just set static route for to use the VPN connection which covers all of their socks5 servers globally)

To easily get random egress then you can use a light weight nginx reverse proxy as setup in this docker image . You set that as the sock5 proxy your apps use and then it randomly proxies out via one of the proxy servers you setup in the proxy config. You could then have hundreds of egress options that are randomly chosen.

This of course only works with apps that support socks5 like web browsers. I find that preferable since it limits what telemetry is also associated with your vpn connections that otherwise can unmask you though a little less of a concern when you egress randomly over hundreds of exit points. But for example OS telemetry and accounts that can be used to correlate who you are like gmail, icloud and such I just have go straight out and use chrome with no proxy and no os proxy setting. Then use Firefox with proxy set for other things, an especially powerful option with their multi container extension that allows you to choose a proxy per container and control which domains use which containers and which cookies can persist restarts etc.

Note to really get around tracking you need to also be very cognizant of browser fingerprint techniques that really do not emphasize IP address very much. desmostration is one of the most powerful I have seen and works by default in same browser even in incognito mode. You can beat it though with Firefox multi containers combined with Temporary Containers and CanvasBlocker extensions in addition to turning on privacy.resistFingerprinting in about:config for firefox. And of cource Ublock origin.
Then there are web-based email apps like Horde that insist you re-login every time they detect that your exit point IP address has changed.. REALLY annoying when using T-Mobile hotspot on my smartphone for Wi-Fi. Apparently, T-Mobile's load balancing is changing my exit point IP address on a regular basis.