Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    White list a LAN IP address

    Scheduled Pinned Locked Moved
    pfBlockerNG
    2
    3
    2.7k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      ctsdownloads
      last edited by

      After following this guide:
      https://www.reddit.com/r/PFSENSE/comments/48iiq4/pfblockerng_exceptionswhitelist/d0kt7ju

      I've determined that it's not working apparently.

      What I'm trying to accomplish:
      I need a LAN IP host to not use the DNSBL adblocking while the rest of the LAN network continues to enjoy blocked ads.

      Running:
      pfSense 2.3.2-RELEASE (amd64)
      pfBlockerNG 2.1.1_4

      Any help would be appreciated. Just need to continue enjoying pfBlockerNG on my LAN, which excluding one of my LAN PCs so it can view ads.

      Thanks! :)

      1 Reply Last reply Reply Quote 0
      • RonpfSR
        RonpfS
        last edited by

        The guide is to whitelist IPs.

        DNSBL works in the Domain name space, not in the IP Space.

        Your LAN device ask a Name server : What is doodle.com IP?
        the Name server would normaly return : doodle.com IP is 12.234.56.9

        pfBlockerNG/DNSBL in pfSense manage a list of domain names to block and it configures the pfSense Name Server to return the VIP for those hosts instead of providing the actual domain name IP.
        pfSense Name Server return : doodle.com IP is 10.10.10.1  8)

        The LAN device use the IP returned and start the connection. The FW is configured to redirect 10.10.10.1 to itself.

        If this is an HTTP/S request, the NAT rule redirect it to the DNSBL web server that answers the request, return a 1x1Gif, and also log the request.

        For other type of connection (Telnet, NTP, ICM, etc), pfsense handle the request that will probably be blocked by the default block rule. No logging is configured for non HTTP/S connections.

        pfBlockerNG/DNSBL does NOT block doodle.com actual IP (12.234.56.9), it return the VIP (10.10.10.1) to the LAN device.

        If you want a LAN device to bypass DNSBL, configure it to query a DNS Server without DNSBL. ;)

        Ex: another DNS server in your network, Google DNS servers ( 8.8.8.8 ), OpenDNS server ( 208.67.222.222, 208.67.220.220 ).

        2.4.5-RELEASE-p1 (amd64)
        Intel Core2 Quad CPU Q8400 @ 2.66GHz 8GB
        Backup 0.5_5, Bandwidthd 0.7.4_4, Cron 0.3.7_5, pfBlockerNG-devel 3.0.0_16, Status_Traffic_Totals 2.3.1_1, System_Patches 1.2_5

        1 Reply Last reply Reply Quote 0
        • C
          ctsdownloads
          last edited by

          Ah! So basically configure this at the device level. Android for example: https://support.opendns.com/hc/en-us/articles/228009007-Android-Configuration-instructions-for-OpenDNS

          Thats a duplicable solution indeed. Thanks!

          1 Reply Last reply Reply Quote 0
          • First post
            Last post