Need help with a firewall rule to allow PiHole DNS and block users from accessing the PiHole GUI....
-
My last post was premature because your sample rules work after taking a detailed second look. I would have never figured it out without your help. It is so complicated. I copied your rules and my system is working like I want it. You are the man! I really appreciate your help. I wish I had your network skill set. Again, thanks for your help!! 
P.S. I may have another critical pfSense issue for you to solve since you seem knowledgeable regarding psSense.
Happy Holidays
-
@Ghost-0 said in Need help with a firewall rule to allow PiHole DNS and block users from accessing the PiHole GUI....:
I may have another critical pfSense issue for you to solve
Happy to help..
It might look complicated, but just take them one rule at a time.. Rules are evaluated top down, when a rule triggers (ie matches) no other rules are looked at. So follow your rules down and you can figure out where you need to place your rules. And just remember if traffic never matches anything and it gets to the end not being allowed, the default deny will block..
You wouldn't need that block rfc1918 rule for example - except you have that last rule that allows anything, ie the internet. So before you allow that you need to say, hey you can't go to any other rfc1918 network. This is what blocks talking to your pihole web gui.
-
@Ghost-0
I'm kindly asking you to review a recent post that I posted earlier today, regarding another pfSense issue that I have been experiencing for years. Please review it and let me know of a possible solution. Again, thanks for everything! -
@johnpoz
I beg to differ. It is complicated for me. My pfSense rule skill set is very rudimentary. Your sample rules reveal new ideas to me. I didn't know you could add ICMP, NTP, etc in the pfSense firewall. I thought these things were only available in Microsoft windows. Your sample rules are an eye-opener. This has inspired me to embark on a pfSense journey for more knowledge. -
I have a question for you. I don't really understand this pfSense firewall rule option, invert match, please define it for me in simple terms.
-
@Ghost-0 said in Need help with a firewall rule to allow PiHole DNS and block users from accessing the PiHole GUI....:
invert match, please define it for me in simple terms.
It means exactly that in my rule where I allowed dns to 192.168.3.10, the rule would match if it was any other than 192.168.3.10.. Invert rules are rarely needed, if ever to be honest. You should prob just forget the option even exists.. Just be very explicit with an allow to what exactly you want.
While they might be useful in some complicated rule sets, your typical user should really never have need for them.. And there have been problems in the past where if you had a vip setup it could be confused.. If you do plan on playing with invert or ! rules - make sure you extensively test that is working as you intended.
Yes you can get specific with your ports, and with your protocols.. Just look at your rules line by line and what traffic you want to allow or block. Source IP, destination IP, port and protocol (tcp/udp/icmp/etc) does the rule allow it or deny it. As you walk through your rules top down.. If you get to rule that matches, no other rules will be looked at.
-
@johnpoz
Thanks for the explanation! Some users on YouTube use it extensively. To me it is not intuitive. I find that option confusing. I thought I was missing out. Now I feel better after your explanation. -
I have done extensive testing of the firewall and found no leaks after implanting your suggested rules; pfSense appears to be functioning as intended. However, I had to make a slight modification of one of your rules to accommodate the Unifi Captive Guest Portal on one of the subnets. The issue was connected hosts were unable to access the captive portal web page. Rule #2 of your sample rules had to be modified: "Source, test subnets" was changed to "any" and port 53(DNS) was changed to no port.
-
Thanks for replying to my post! johnpoz solved it for me by re-writing the majority of my pfSense rules.; everything is now peachy . The vlans (WiFi) are now restricted to only ICMP/NTP/DNS/internet. They are no longer able to access other resources on the network including GUI's. -
@johnpoz I am running into a similar issue. I have a VLAN on a wireless router (disabled DHCP/NAT/etc).
LAN 192.168.3.1 (pfsense)
LAN 192.168.3.3 (wifi-router1)
LAN 192.168.3.20 (pihole DNS+ubound)
VLAN_STAFF 192.168.10.1
VLAN 192.168.10.2 (wifi-router2)If I connect to the first router it will resolve "ping google.com"
If I connect to the second router it will resolve "ping 1.1.1.1" but not "ping google.com". So this tells me I MAY have internet but I definitely do not have DNS.Setup:
ISP -> netgate SG3100 (pfsense+) -> TL-SG1016DE (switch) -> {pi-hole, wifi-router1, wifi-router2, ubuntu laptop, etc.}When I connect to wifi-router2 it tells me my DNS is 192.168.3.20 in the settings ...
It says my routing is 192.168.10.1
I can ping 192.168.3.20 (pi-hole) if I'm on wifi-router2 too (DHCP gives me 192.168.10.200 on my linux laptop)My setup is quite generic otherwise. I am just learning. I did my due diligence with copying the LAN firewall to the STAFF VLAN, I set up the VLANS in the switch, I'm getting the DHCP to cooperate correctly, and I even tackled the Interfaces > Switches section which is often missed.
DHCP Servers for VLANS all say 192.168.3.20 grayed out... (default under General Setup)
After 2 days reading mastering pdf and searching 20 videos and 50 forums posts (about half you commented on...), I'm left without a solution except to just install a pfsense package for DNS... but I prefer to use my raspberry pi pi-hole setup.
I also just want to understand what I'm doing wrong.
My ultimate aim is to maximise functionality with a dusty old netgate box and three tp-link wifi6 routers (AX5400) that can create an EasyMesh setup (so I can't really make the wifi-routers into APs). EasyMesh is a firmware upgrade from OneMesh.
I seem to be stuck at this VLAN... Following other tutorials internet "just works" if I'm not using a wireless router and I'm not using a pi-hole sinkhole.
That's it. I don't want to be verbose.
-
@vf1954 PiHole has a setting that will block requests from any other networks than "local" = the subnet it is on. Try unchecking that and see if it works... It should be under Settings > DNS > Interface settings
-
@Gblenn you sir, are a blessing!
I see now there was a diagnostic report in pi-hole that I missed ...
Too hyper-focused on the pfsense side of things.
Thank you <3
