Pfblockerng and domain lists
-
Checklist:
- DNSBL Service is running?
- Ensure the LAN devices have pfSense Resolver as its only DNS Server
- Can the LAN devices ping the DNSBL VIP?
- Can the LAN devices browse to the DNSBL VIP and get the 1x1 gif?
-
- DNSBL Service is running?
Verified it is running.
- Ensure the LAN devices have pfSense Resolver as its only DNS Server
Yes, this is the case.
- Can the LAN devices ping the DNSBL VIP?
I cannot ping the IP. That IP doesn't "live" anywhere else on the network or Pfsense so not sure how that would work. Also, my LAN and WAN interfaces are bridged. The DNS server on the Pfsense is the logical bridge interface.
- Can the LAN devices browse to the DNSBL VIP and get the 1x1 gif?
No, I just get a timed out page.
-
So just to test, I changed the DNSBL VIP to match the IP address on the Bridge interface which is also the DNS server. This works, I see a 1x1 and I see Alerts now for DNSBL.
What do most people use for this VIP? The client needs to be able to route to it obviously. I'm wondering if the bridged interfaces (LAN/WAN) have anything to do why a bogus VIP doesn't respond in this case?
-
- Can the LAN devices ping the DNSBL VIP?
I cannot ping the IP. That IP doesn't "live" anywhere else on the network or Pfsense so not sure how that would work. Also, my LAN and WAN interfaces are bridged. The DNS server on the Pfsense is the logical bridge interface.
- Can the LAN devices browse to the DNSBL VIP and get the 1x1 gif?
No, I just get a timed out page.
ok need to fix those issues… If you have a multi-segmented LAN, there is an option to auto-create a Floating Permit Rule to allow other LAN subnets to hit the DNSBL VIP... See the checkbox in the DNSBL Tab...
-
With the policy I have no, all of the LAN is allowed anywhere so this should have already been in place by policy.
-
With the policy I have no, all of the LAN is allowed anywhere so this should have already been in place by policy.
First step is to figure out what is blocking the LAN devices from hitting (ping and browse) the DNSBL VIP… Could be a Firewall Rule/NAT/Limiter etc....
-
Here is what I found. I restored my Layer 3 configuration for Pfsense where the LAN interface is routing and things work as expected even when bogus DNSBL VIP isn't routable to rest of network. I use 172.16.100.0/24 for LAN and 198.18.100.100 for VIP. It seems like this is because I was in bridge mode. Worst case, I just don't have the DNSBL logs with domains in bridge mode and just raw logs to 8081/8443.
-
Bridges are generally an issue… If you run an "ifconfig" does the bridged interface show an IP? Keep note that the DNSBL VIP is an "alias IP", so the chosen DNSBL Interface should be a real interface. Not an expert in bridges either... :)
-
172.16.100.200 is the IP I assigned and is being used as DNS server. 198.18.100.100 is the VIP.
bridge0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
ether 02:7e:6a:cb:6f:00
inet 172.16.100.200 netmask 0xffffff00 broadcast 172.16.100.255
inet 198.18.100.100 netmask 0xffffffff broadcast 198.18.100.100</up,broadcast,running,simplex,multicast> -
Confirmed that the DNSBL VIP will not be accessible when Pfsense is in bridge mode even when the Bridge logical interface is used for DNSBL listening. It works fine in Layer 3 mode and DNSBL alerts are visible.
