Opendns+pfsense (web-filtering)
-
hi there, i have implemented opendns with my pfsens in my office but the problem is that any geek can just change the dns address of the machine and can surf the internet without any barriers.
all i want is that to force all my pfsense dhcp clients to have opendns ip and if they change the dns ip then no internet should run in their computer.
thank you
-
https://doc.pfsense.org/index.php/Blocking_DNS_queries_to_external_resolvers
https://doc.pfsense.org/index.php/Redirecting_all_DNS_Requests_to_pfSense -
still no any progress.
I created the firewall rule but after that I was unable to surf the internet in any of my pfsense dhcp clients.
plz help me…
 -
Because you need to point your clients to your pfSense LAN IP as DNS server. And point the DNS server on your pfSense to forward the queries to OpenDNS. And if that's not what you want to do, you'll need to mix and match those two articles a bit more creatively and learn something.
-
i created the nat rule too but also my pfsense dhcp clients are unable to connect to internet.
 -
It the previous screenshot is your entire ruleset on LAN, then they will never be able to connect to Internet. Since you nuked the default allow rule for unknown reason.
-
thankx for the answer but please guide me how to sort out this problem.
what are the steps i have to carry out to accomplish this task.
shall i have to delete the firewall lan rule or what i have to do??
-
No, you need to put the default allow rule back below those DNS rules to allow outgoing traffic!
-
is this the correct order??
please give specific answer or guide i am new to pfsense router.
 -
No. Now you've blocked all DNS. No idea why you felt the need to shuffle with those DNS rules. You also pretty much want "any", not "TCP/UDP" on the last rule. Otherwise, ping won't work a bunch of other things won't work either.
-
so shall i move the block rule to the last or what?
can you please guide the steps??? It would be great.
-
No, you need to put the default allow rule back below those DNS rules to allow outgoing traffic!
Not really sure what more to say.
In general, read the fine docs. Managing firewalls without basic understanding of how it works is dangerous.
https://doc.pfsense.org/index.php/Firewall_Rule_Basics
https://doc.pfsense.org/index.php/Firewall_Rule_Processing_Order
https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting -
my scenerio is that i want pfsense dhcp client to use only opendns ip and if they change the other dns address in their machine then i want no internet in their machine.
that's the desire i want.
so what has to be done?
-
Yeah, and you have all the needed answers above.
-
so what has to be done?
You have to follow the instructions you have been given.
#1. Read this https://doc.pfsense.org/index.php/Blocking_DNS_queries_to_external_resolvers and then make your LAN rules look like that.
#2. Read this https://doc.pfsense.org/index.php/Redirecting_all_DNS_Requests_to_pfSense and then add that NAT rule.Dok spelled it all out for you. The docs are clear. What else do you need???
-
If reading hurts too much: there are only 3! permutations of those 3 rules and only one does what you want. :P
-
THANK YOU!!! FINALLY I DID IT…IT WAS ALL YOUR HELP
...PEACE
-
I am now able to block the use of third party dns severs in my network and if any one change their dns ip then they will be forced to redirect to my firewall lan ip which works charm.
But now I want specific ip addresses to exclude that firewall rule and make them to use internet using any public dns servers.
Is that possible, if possible then please guide me…
Thank You
-
Create an alias for excluded IPs.
Use the alias negated (NOT) as source in the NAT rule.
Use the alias negated (NOT) as source in the block rule. -
Just trying to get some more help with setting up OpenDNS on my pfSense router/firewall. Dok here has tried a bit though I haven't gotten any further than I previously posted about in this thread https://forum.pfsense.org/index.php?topic=94912.
I restarted the pfSense box and my computer, but OpenDNS claims I'm still not using their DNS servers. I turned on logging for the firewall rules that allow IPv4 + 6 DNS traffic to LAN Address and also the NAT-auto generated allow DNS traffic to 127.0.0.1 and then tried browsing sites and checking my OpenDNS setup on their website and saw the logs go up in the firewall log. How is it possible that I'm not using the OpenDNS servers setup in my System > General section? I even tried manually setting the OpenDNS IPv4 & IPv6 DNS servers in my Windows network adapter properties and still saw the DNS firewall logs populate, but OpenDNS still says I'm not using their servers.
In case it's relevant, my DNS Resolver settings are the following:
