pfBlocker still blocking sites even when packaged disabled, removed and cold-rebooted

AWilson60

Hi I apologize for what must surely be my fault, but I am googled-out and cannot fix this on my own:

I bought a Netgate 4100 earlier this year and all was well until I switched from pi-hole to pfblocker. There's a custom web site I own and operate on my own network that I must be able to access, and I could pre-pfblocker. And I still can if I e.g. use a vpn service provider. But from my own lan via my 4100 access to the site is denied. Firstly, I tried whitelisting the site using e.g. Tom Lawrences videos, but it wouldn't work. In the end, I gave up and thought "pi-hole wasn't bad" - I was just hoping this was somehow "better". So I thought "no problem, I'll just disable/uninstall pfblocker then cold-reboot the router and go back to my old pi-hole container. And revisit this another day. Not so fast.

I have worn out google trying to fix this, but I had to finally post here: I have tried MULTIPLE TIMES to disable/uninstall and even re-install/uninstall pfblocker package. I have tried "disabling" various features after I re-install and re-uninstall the package, and then powering off my router and re-booting the device, I simply cannot access the site from my own LAN no matter what I do. I have even restarted the DNS resolver (but a cold reboot should really do that too). I can access the site from my phone (mobile service, not wifi connected to my Netgate router) or via a vpn service provider via my desktop, but that's not convenient. The GOOD NEWS is my site can still be accessed by my customers, but I can't personally access it from my desktop (or phone, or laptop or ANYTHING via my own LAN). I have of course also reset my PC too and even the other LAN devices I tried. Nothing works from my LAN.

I can see no residual firewall rules and I can confirm that pfBlocker disappears from the Firewall menu every time I uninstall it.

Can anyone point me into things I might be doing wrong?

Andrew

ltolbert

@AWilson60 Is your local web server using NAT with a local private address? If so, have you configured NAT reflection or maybe tried using split DNS? I had similar issues using a local email server and split DNS resolved them for me. Just wanted to share other ideas. Good luck.

Gertjan

@AWilson60 said in pfBlocker still blocking sites even when packaged disabled, removed and cold-rebooted:

Can anyone point me into things I might be doing wrong?

On your PC (pad, phone, portable) on your LAN :

nslookup yoursite.tld

Does it return the IP of your site ?

Can anyone point me into things I might be doing wrong?

pfSense, using pure default settings (that is : change the admin password, activate WAN if it isn't DHCP) and it should work straight away.
Then, as you add all your other 'changes', it will stop to work ....
So, tell us what about your settings/changes.

AWilson60

@ltolbert - I am not a networking expert so I may not answer your questions properly as I use different terms to the ones you use. I host two web sites and two cloud file servers on my LAN (and in fact other services). All services are accessible via the internet under one of two domain names - one of which comes via cloudflare and one of which comes via a domain that I buy and manage via google-domain's service. Only one of the domains (so one web site, one cloud file server) is (now) being blocked from my LAN - the other is still accessible as usual. All worked before I installed pfBlocker. Of course, all services for both domains also are accessible via a vpn service or if I try to access them via any network that is NOT my lan.

I may do a full factory reset on my Netgate 4100 and reload my pre-pfblocker settings to see if that fixes this. It's a little drastic but absolutely nothing else I have tried has worked. I am so perplexed that uninstalling pfblocker has NOT restored the connectivity I definitely had immediately before I played with the package.

THANK YOU.

AWilson60

This post is deleted!

AWilson60

@ltolbert

[I have re-replied to your messaged and just pasted full contents of nslookup below rather than trying to obscure the output as I did originally]:

andrew@yoda:~$ nslookup cloud.exploinsights.com
Server: 127.0.0.53
Address: 127.0.0.53#53

Non-authoritative answer:
cloud.exploinsights.com canonical name = eiflsvr.ddns.net.
Name: eiflsvr.ddns.net
Address: 47.200.8.195

So the url cloud.exploinsights.com points to a Nextcloud server I self-host, which may or may-not show on your system depending on whether you have pfblocker enabled or not (I am interested to know if pfblocker blocks this on netgate systems? - and if so, can you still get to it via a vpn andor with pfblocker disabled?)?

If I use my vpn service, I get to the site. I USED to be able to get to it from my lan, but not since I installed then removed pfBlocker.

I didn't change any of my settings - I merely installed pfblocker, ran through the wizard (taking all defaults as recommended by Tom Lawrence) and when I found my cloud file server (and a web site) was blocked, I tried whitelisting - failed, tried googling - failed so I just uninstalled pfBlocker thinking it would all come back. It has not done so yet.

I can post settings but can you be a little clearer on what I should post? Bear in mind the pfBlocker package has been uninstalled and thus there no settings shown for that. Ditto logs - I have looked in them for clues, but there's so many I am not sure which one(s) I should post?

I am not 100% convinced it's my Netgate router at fault, but I am clueless to trouble shoot this beyond what I have posted. Getting close to a factory reset (inconvenient for me to do that!).

THANKS for trying to help me - I am appreciative.

Andrew

johnpoz

@AWilson60 if some fqdn ends up pointing to your wan IP (on pfsense) and you want to get to it from something on your lan, then you either need to do nat reflection, or you need to setup local dns to resolve that fqdn to the local IP.

So example... You host something on some box 192.168.1.100, people on the internet get to it via your public IP 47.200.x.x, which you forward traffic that hits this IP lets say on 443, to the 192.168.1.100 box.

All is good with the world.

But now you have some box on say 192.168.1.200 and he wants to go to this fqdn.. That resolves to your wan IP 47.200.x.x.. You can either setup nat reflection in pfsense to send this traffic from 1.200 to your 1.100 box via reflection.

Or the simpler and cleaner solution is to just let your local dns that this 1.200 box is using to resolve the fqdn to 192.168.1.100 vs the 47.200.x.x address.

The only time nat reflection is needed is if this 1.200 box is not using your local dns, and you can not change it to use your local dns so it can resolve the fqdn to your local IP. Or its trying to access this service via just some hard coded IP (your wan address).

Other option vs using nat reflection or local dns, is to use reverse proxy. So of just forwarding traffic in from the internet on some port to your 192.168.1.100 box hosting your service. Use haproxy as a reverse proxy and let it send the traffic inbound. If that is the case then your local 1.200 box should have no issues getting to the fqdn that resolves to your public IP.

for split dns.
In your above details, you trying to go to cloud.exploinsights.com, so in unbound create a host override that points cloud.exploinsights.com to your box hosting the service 192.168.1.100 in my examples.

now when client wants to go to cloud.exploinsights.com vs resolving to your public IP, it just resolves that to the 192.168.1.100 address and locally accesses your service.

This has really zero to do with pfblocker - unless pfsense blocker was blocking resolution of cloud.exploinsights.com in the first place. So yeah you need to resolve that fqdn, if it points to your wan IP from a client on your network you need either nat reflection, or haproxy, or you need to go the split dns route.

AWilson60

@johnpoz THANK YOU! based on your feedback, I have created entries under my Host Override options in my DNS Resolver to point to my reverse proxy...and it WORKS!! THANK YOU.

I am still puzzled as to why it worked WITHOUT this before I installed pfBlocker, but I am very grateful it now works again.

Again, THANK YOU!

johnpoz

@AWilson60 not sure - other then not being able to resolve some fqdn at all, pfsense blocker would have nothing to do with nat reflection.

But if you were resolving the fqdn to your wan IP, you would of needed nat reflection for it to work. Or you would of needed to be running haproxy.

Sounds like your running some internal reverse proxy at my example 192.168.1.100 address - you might want to look just into haproxy just on pfsense, I run a couple of things through it, and let it do the ssl offloading and this ties in nice with the acme package to update the certs, etc.

AWilson60

@ltolbert So, now that I better understand your feedback. I have now fixed my issue, and NAT reflection was off (and it turns out I can fix this issue either by turning that on and/or redirecting local dns by adding a host entry under DNS Resolver). THANK YOU. Sorry I was too dumb to understand this the first time around. :-)

AWilson60

@johnpoz Thanks. You are dead right - NAT reflection was the issue It's fixed now, but what stumped me was that it all worked before I played with pfblocker (I absolutely did not turn anything off, and I frequently accessed that site before installing pfblocker). On HAProxy - I use HAProxy in a lxc container that's running with redundancy across three servers, and I prefer that (i.e. it means I have been able to run that for years without breaking it LOL) so I won't break it my trying to run it on my Netgate router, but thanks for the idea. :-).

johnpoz

@AWilson60 no problem - glad you got it sorted. Either solution can work, the split dns is cleaner - why bounce traffic off your firewall if its just going to some local IP anyway. No reason to bounce traffic off pfsense.

Only reason to use nat reflection would be if your client on your local network was not using your dns, or was using a hard coded IP.

If your already using haproxy on pfsense, and its doing ssl offload then it makes sense to bounce the traffic off pfsense since its doing ssl for some site that can not do it, or allows you to do it in central location, etc..

ltolbert

@AWilson60 Great, glad it's working. Sorry I could not follow up any sooner but great advice from @johnpoz . Lots of help on this forum.