Port restriction rule!
-
@Antibiotic how and the hell did Steve's quote turn into Russian? ;)
I didn't look that deep at you rules - but that DOT redirect, ie dns over tls more than likely will not work.. Even if you have unbound listening for dot. Because any sane dot client should validate the cert is correct for the NS they are wanting to talk to via dot.
Say your client is trying to talk to the quad9 via dot, it should validate that the cert is valid for dns.quad9.net, if not it should complain and not actually work. Unless you were using a cert it trusts that has cn/san for dns.quad9.net.. If it doesn't its a lame dot client, because one of the main features of dot or doh is validation that your talking to the NS you think your talking too via cert being correct and signed by CA you trust.
-
@Antibiotic said in Port restriction rule!:
not able to see this hard disk on router connect over USB like samba sharing? Network discovery is ON
Device discovery like that typically only works inside the subnet of the device doing the discovery. So it will not 'discover' something in a different subnet.
-
@johnpoz I did how to recommend NetGate doc in DNS redirect section: "Clients using DNS over TLS or DNS over HTTPS could circumvent this protection. Redirecting or blocking port 853 may help with DNS over TLS, depending on the clients."
pfSense plus 24.11 on Topton mini PC
CPU: Intel N100
NIC: Intel i-226v 4 pcs
RAM : 16 GB DDR5
Disk: 128 GB NVMe
Brgds, Archi -
@stephenw10 Than how to do this ?
-
@Antibiotic said in Port restriction rule!:
depending on the clients."
Is the important part here.. If the dot client is sane, it wouldn't work - but sure guess there are some really shitty dot clients that don't actually validate..
Either way it helps with dot circumvent, because it the bad client will just work anyway, ie be redirect, or it will fail. I was just trying to point out that redirection of dot shouldn't work.
Dot is the less common use for clients, android might do dot vs doh? Dot is easy to block, just don't allow 853.. Doh is harder to block because it hides itself with all your other 443 traffic that has to be allowed for the internet to actually work.
Dot is more suited for NS that is forwarding to some other NS, and not actually the end client.
-
Do not use discovery. Enter the IP addresss or hostname directly.
-
@johnpoz I delete this rules regarding DOT and did by instructions in Blocking External Client DNS Queries regarding DOT)))
-
@stephenw10 I am still wondering how your quote ended up in Russian ;)
-
@johnpoz Sorry not understand completely what you mean, but its OK because Russia come back to the global honest WORLD))) not a rules-based order
-
@Antibiotic Steve's post was clearly in english, but then when you quoted it Russian ;) I was not aware that the forum software translated quotes to the posters language or whatever.. So clearly there was some copy paste on your part?
edit:
Your dot rule to lan subnets makes no sense.. Because you have a rule above it that allows any from lan to assume any local used network. So 853 would be allowed by that rule, there is no reason to allow 853 specifically. to lan subnets.On a bit of side note, what is the point of * as source... How would there be any source ingress into this interface unless it was the subnet this interface is attached too?
The only time any for source makes any sense is if the interface is a transit network. The source IP should either be specific for IPs on this network that you want to have different rules for, or it should be set to the subnet the interface is attached to.
-
A browser plugin would do that. Or just Chrome with translate turned on.
-
@stephenw10 I tried but do something incorrectly
Wireless router IP 192.168.20.11 and set
do \192.168.20.11\HOME but error connection
-
The file server may not allow connections from outside it's own subnet by default.
-
@johnpoz Re design))))
yes do copy past , Do not make copy past of translated world, write by English in forum
-
@stephenw10 Yea but in AP mode i don't have any settings to allow this.
-
If it blocks connections from outside it's own subnet and there's no way to add rules to allow it then you would have to add NAT rules in pfSense. But things start to get ugly when you do that! So I would want to confirm that's really happening.
-
@stephenw If i set back to Wireless router mode than make to allow from outside it's own subnet. Set back to AP mode, will this work?
pfSense plus 24.11 on Topton mini PC
CPU: Intel N100
NIC: Intel i-226v 4 pcs
RAM : 16 GB DDR5
Disk: 128 GB NVMe
Brgds, Archi -
First confirm what is not working.
Can you ping that AP/server from the other subnet? Can you SSH to it? Access it's webgui?
-
@stephenw10 Yes i can ping and access web gui and SSH from other subnet. May be its possible to add some rule from SSH but what the rule? Router firmware based on linux.
-
@Antibiotic So your using some wifi router as just an AP.. Yeah if your just using the makers firmware many of them do not allow setting a gateway on the lan interface.
Can you put 3rd party firmware on it - ddwrt, openwrt, etc. All of these allow for setting a gateway on the lan interface.
If not - sure you could either nat and and allow remote access to its web gui. Or as mentioned you can do a source nat, ie outbound nat so traffic to the AP IP looks like it came from pfsense IP on the same network.
If me I would look to 3rd party firmware. Or better yet get an actual AP vs using some wifi router you had laying about.
Advantages to 3rd party or actual AP is you would also then get vlan support, not just gateway on lan interface.
If stuck with this wifi router as your AP, I would use the outbound/source nat vs double nat and remote access to the devices webgui from remote.
