pfSense Firewall rules don't seem to have any effect ?

abesh

@viragomann @AndyRH

I have been reading up on this and am going to try it out tomorrow. Couple of questions :

• Do I need a managed switch to get this working ? I am guessing YES.
• Do I have to create two VLANs - Home (all home devices) and DMZ (pihole) or can I do with LAN and a VLAN (DMZ for Pihole). Which subnet should pfSense be part of ? pfSense has a passthough external ipas well as an internal one (192.168.1.1 - same subnet as mt ATT modem)
• The pfSense web interface is also accessible via the external IP. Is there a way to disable this ?
• And lastly, i have configured the pfSense DNS Resolver as a forwarder to Pihole and also set the DNS settings to the Pihole DNS. This actually causes all DNS traffic to go solely to the Pihole. Therefore do I achieve anything extra in going through with the effort of setting up VLANs?

SteveITS

it’s a bad idea to have pfSense exposed to the Internet. By default it is not. Are you accessing the WAN IP from the internet, or LAN? The latter is allowed because LAN has a default allow rule. (The packet is through the gate and pfSense knows what to do with it, “that’s me!”). WAN has no rules so blocks all traffic by default.

Re: DNS:
https://docs.netgate.com/pfsense/en/latest/recipes/dns-redirect.html

abesh

@SteveITS You are correct ! I was accessing the WAN Ip from the LAN !!! Thanks so much !

abesh

@SteveITS And also, are you implying that I donot need to do the entire setup at all?

AndyRH

@abesh said in pfSense Firewall rules don't seem to have any effect ?:

Do I have to create two VLANs

No, this will work with a single subnet. My example covers multi-VLAN. Just do the steps for your 1 VLAN.

SteveITS

@abesh said in pfSense Firewall rules don't seem to have any effect ?:

are you implying that I donot need to do the entire setup at all?

No, tbh I didn't read the rest. It was late for me and I thought I'd address that one point about the WAN IP.

abesh

@SteveITS @AndyRH Thank you so much !!!

abesh

@SteveITS said in pfSense Firewall rules don't seem to have any effect ?:

Re: DNS:
https://docs.netgate.com/pfsense/en/latest/recipes/dns-redirect.html

So I tried this but landed into issues. I think I know what the issue but but not quite sure how to solve it.
On my pfSense I run the DNS Resolver with forwarding turned on to pihole. Pihole runs unbound locally and answers queries.
The NAT port forwarding above redirects all DNS queries back to the pihole, including the ones originating from it and thus I am not able to resolve anything.
Any idea how would I get past this other than moving the pihole to a VLAN of its own ? Thanks again @AndyRH @SteveITS !

AndyRH

@abesh This may help. I point pfSense and PiHole to an outside DNS. DHCP points the clients to PiHole. PiHole points to pfSense for the local domain home.arpa.
This arrangement prevents a reference loop. pfSense is the root for home.arpa.
My PiHoles serve DNS for several VLANs, including the one they are on.

pfSense does not do anything where it would need ad blockings so there is no useful reason to have it go to PiHole.

Another tidbit, the OS running PiHole sometimes will have DNS resolution problems, to prevent this I also point the PiHole OS to an outside DNS. This also solves the problem of how to fix PiHole if the OS cannot resolve internet names. I like to use DHCP reservations, so I do it with DHCP. It is also valid to use static settings.
Later consider having 2 PiHoles for redundancy, with the settings to force DNS to PiHole, if PiHole is down you cannot resolve names.

abesh

@AndyRH Awesome ! Thank you :) Isn't the setup then sort of similar to one that I started with ?