[SOLVED] Help: Example basic configuration: Outbound LAN: Allow DNS access setup
-
What is your WAN config like and are you using the built in dns forwarder?
A "normal" install of pfsense doesnt normally require any of those DNS rules so it might be worth looking at the wan config side of things, maybe you have some rules there blocking your lan from accessing the net?
A straight forward Wan & Lan (duel nic) setupusing ipv4 & ipv6 would have :
Wan rules
RFC 1918 networks Block private networks
Reserved/not assigned by IANA Block bogon networksLan rules
Destination LAN Address 443/80 Anti-Lockout Rule
Proto IPv4 Source LAN net Default allow LAN to any rule
Proto IPv6 Source LAN net Default allow LAN IPv6 to any ruleAnd that would be enough to get net access with DNS entries either bing picked up from your router or putting the DNS server ip address in the System, General Setup, DNS servers fields.
-
For security concerns, I don't want to allow LAN to any rule. I'm looking to disable Proto IPv4 Source LAN net Default allow LAN to any rule and Proto IPv6 Source LAN net Default allow LAN IPv6 to any rule. I'm looking to disable these 2 rules and keep my internet alive. Thanks.
What is your WAN config like and are you using the built in dns forwarder?
These are screen captures of my present settings. I did a default installation of pfSense (Quick/Easy Install). I have not changed any settings.
Internet-> pfSense-> D-Link EBR-2310-> My Single Computer
-
Of course you lose internet connection, you're only allowing DNS out. If you go to your command prompt and type "nslookup" and then an internet address, such as google.com, you should be able to get DNS records. To actually allow HTTP and HTTPS traffic out, you need to allow those ports on your LAN firewall rules. Simply allowing DNS out is not enough to access web sites, only to resolve their addresses.
-
-
You should allow ports 80 and 443. I don't know how much more clear I can make that information.
-
You should allow ports 80 and 443. I don't know how much more clear I can make that information.
Thank you for your answer timthetortoise
If I understand correctly, I have to add 2 more rules to the picture (6)?
I thought the first gray Anti-Lockout Rule (on top picture 6) LAN Address 443/80 was sufficient.So, I have to adjust the rules like picture (11), below. Right?
-
The third rule (port 53 to LAN address) is unnecessary, but yes, that should work for you. If everything's in your LAN address' subnet, you could change the Source for all of them to LAN net - if, however, it's not all in the same subnet, but you still want it to be allowed out, you will want to either set up a network alias, or allow from any source.
-
-
Well, does it work? If so, then yes. If not, then no. But for a basic network infrastructure, that should work fine.
-
Everything works, thanks a lot!