Clarifying DNS Firewall Rules Misconception

moji

I would like to clarify some DNS and Pfsense firewall concepts that have been challenging me for quite some time. I appreciate the help.

I have setup Vlans on Pfsense using a modem, the Pfsense as a router, as well as an access point for wifi for the Vlans. I created a DNS server for each Vlan. I also set up my DNS Resolver to forward dns to the System (General -> system) which will handle DNS for all my VLANS and interfaces. I set up the system setup to use Cloudflare's 1.1.1.1 as system DNS. Given this, my questions are:
1- Let's say my laptop on Vlan 100 with 192.168.100.0/24 subnet wants to make a DNS request. Does it make it to the Vlan address, 192.168.100.1 port 53? And then my VLAN address forwards this request to the system which makes the same request on my behalf to 1.1.1.1 port 53. Is this correct?
2- In case I want to allow the above in my firewall rules, I understand I must allow the request from my laptop to the Vlan address 192.168.100.1 on port 53 -or to the "This Firewall" option? And regarding the second part of the process, on which interface does the forwarded request by "System" occur? The LAN interface or OPT interface or some other VLAN? So that I know where I should input the allow rule to cloudflare's 1.1.1.1.

3- General question regarding firewall rules. I want to allow my laptop access to the Pfsense GUI on the LAN interface for example. I am confused about whether to allow HTTPS port 443 to either "LAN Address" or the "This Firewall" option. What is "This Firewall" in more tangible terms. Is it more like an alias for all addresses of interface/Vlans created?

Thanks a million, have a good day!

viragomann

@moji said in Clarifying DNS Firewall Rules Misconception:

1- Let's say my laptop on Vlan 100 with 192.168.100.0/24 subnet wants to make a DNS request. Does it make it to the Vlan address, 192.168.100.1 port 53?

It sends DNS requests to the server, which is stated in its network settings.
Probably it's configured automatically per DHCP on pSense. The DHCP server hands out the interface address for DNS by default, as long as you didn't overwrite this setting.

And then my VLAN address forwards this request to the system which makes the same request on my behalf to 1.1.1.1 port 53. Is this correct?

The request goes to the DNS resolver, which is listening on all interface IPs on port 53 and is then forwarded to the server stated on the general settings page.

2- In case I want to allow the above in my firewall rules, I understand I must allow the request from my laptop to the Vlan address 192.168.100.1 on port 53 -or to the "This Firewall" option?

By default it's the interface address, as mentioned above. But you can go as well with "This firewall".

And regarding the second part of the process, on which interface does the forwarded request by "System" occur? The LAN interface or OPT interface or some other VLAN? So that I know where I should input the allow rule to cloudflare's 1.1.1.1.

Nothing to take care of here. The upstream request does not enter any further interface. It just goes out on WAN.
All outbound traffic is allowed by default. But you must not block it by a floating rule.

3- General question regarding firewall rules. I want to allow my laptop access to the Pfsense GUI on the LAN interface for example. I am confused about whether to allow HTTPS port 443 to either "LAN Address" or the "This Firewall" option. What is "This Firewall" in more tangible terms. Is it more like an alias for all addresses of interface/Vlans created?

Exactly, "This firewall" is an implicit alias for all IPs assigned to pfSense. So this also includes WAN address and loopback address.
However, allowing access to "This firewall" isn't really less secure, since this rule is only applied to the LAN interface. This means, you can access the web GUI by the WAN address if you're coming in on LAN, but it's not allowed, when coming in on WAN interface.

moji

@viragomann Super helpful and clear!
I just have a quick follow-up question regarding one of your statements.

@viragomann said in Clarifying DNS Firewall Rules Misconception:

Nothing to take care of here. The upstream request does not enter any further interface. It just goes out on WAN.

My Home Vlan has firewall rules that end with an allow all at the end to allow all requests to the WAN. But my Guest Vlan is allowed to get IP, DNS, to browse the internet only (ports 80 and 443 on the WAN) but then has a Deny ALL rule at the end.
1- Does the DNS Resolver have an IP address from which to send the upstream request to WAN?
2- Will the Guest Vlan DNS request handled by the DNS Resolver still be able to "just goes out on WAN" as you said earlier. If not, then the explicit rule still needed would probably be: Allow 192.168.200.1 to send tcp/udp to cloudflare's 1.1.1.1 port 53. (192.168.200.1 being the address of the Gues Vlan 192.168.200.0/24 subnet).

Thanks once again!

Gertjan

@moji said in Clarifying DNS Firewall Rules Misconception:

handled by the DNS Resolver still be able to "just goes out on WAN"

Look at all your rules on all your interfaces.
All these rules handle traffic coming into the interface. With interface I mean the RJ45 plug you can see, and phycisally plug a cable into it.
The resolver run "in the inside", in the box, behind these plugs / interfaces, and sends traffic out (over the WAN), so there are no rules to block (or allow) that traffic.
[ that is, as long as you stay away from floating rules ].

So you don't need a firewall rule (that rules incoming traffic only ) for outgoing traffic.
As this doesn't make sense.

viragomann

@moji said in Clarifying DNS Firewall Rules Misconception:

1- Does the DNS Resolver have an IP address from which to send the upstream request to WAN?

The resolver uses an IP out of 127.0.0.0/8 (as any other service on pfSense) to connect to the network. But there is no network interface, where you can restrict its incoming request. It just goes out to WAN and the source IP is translated to the WAN address there by automatically generated outbound NAT rules.

You can restrict outbound traffic with floating rules though, but this is only needed in certain cases.

2- Will the Guest Vlan DNS request handled by the DNS Resolver still be able to "just goes out on WAN" as you said earlier.

It's not a request from the Guest VLAN, it's from DNS Resolver. The client on the VLAN sends requests to the resolver. This is what you have to allow on the Guest VLAN.
The resolver forwards the requests to the public DNS server, but this is another independent connection.

To ensure, that all DNS requests from your clients go to the Resolver and cannot pass it, you can add a NAT port forwarding rule like this as @elvisimprsntr posted here.

moji

@Gertjan Gotcha! Now I get it, thankss

moji

@viragomann Once again thanks for the kind help!! I got my question solved, I gave a thumbs up to both of you, and I guess this marks the question as solved:)