Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Network Configuration with snort VLANs…..and PfBlocker?

    Scheduled Pinned Locked Moved pfBlockerNG
    20 Posts 4 Posters 4.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V
      Velcro
      last edited by

      My basic set up is as follows:

      -The rules for one of my VLANs are posted above, the other VLANs are similar
      -My default LAN is used for admin of pfsense only, no internet access
      3 VLANs - guest, IOT devices and personal with the parent interface of opt1(opt1 interface is what my Unifi AP is connected to
      -Default LAN = web GUI access
      -Opt2 is for Apple TV
      -I have a sg2440 netgate/pfsense box and a Unifi AP
      -I run snort on my Interfaces
      -I am running PfBlocker on my VLANs (deny both)
      -Viper vpn on my network
      -Unbound dns resolver utilizing OpenDNS IPs

      I have my setup pretty tight with aliases for devices and ports…any suggestions would be appreciated.

      Thanks :)

      1 Reply Last reply Reply Quote 0
      • V
        Velcro
        last edited by

        Does any body have any insight to this? If not I was thinking of starting a new post in the firewalling or general section of the forum as this likely has something to do with my dns settings or dns configuration.

        My specific question is why do I need the custom allow rule to the 127.0.0.1 IP (I modified an "easy rule")to get PfBlocker to work? Is this rule safe and a best practice or is there a different adjustment I need to make?

        PS I have using pfblockerng with some custom lists and love it!

        1 Reply Last reply Reply Quote 0
        • V
          vpreatoni
          last edited by

          I can confirm pfBlocker is bugged regarding allow access rule.

          Have similar environment (multi VLAN). When accessing some blocked domain (eg: http://100pour.com/ ) I get browser timeout instead of 1x1px image.

          Firewall log:

          
          Action	Time	Interface	Source	           Destination	           Protocol
          Sep 18 18:34:48	VLAN10	10.10.10.1:80	192.168.10.108:50216	TCP:SA
          

          Firewall log when accesing HTTPS blocked domains:

          Action	Time	Interface	Source	Destination	Protocol
          Sep 18 18:39:38	VLAN10	10.10.10.1:443	192.168.10.108:49394	TCP:SA
          

          Auto NAT rules VLAN10:

          rdr on em0_vlan10 inet proto tcp from any to 10.10.10.1 port = http -> 127.0.0.1 port 8081
          rdr on em0_vlan10 inet proto tcp from any to 10.10.10.1 port = https -> 127.0.0.1 port 8443
          

          So, if manually edit Auto NAT rules option Filter rule association from None to Pass, IT WORKS! NAT rules now look like this:

          rdr pass on em0_vlan10 inet proto tcp from any to 10.10.10.1 port = http -> 127.0.0.1 port 8081
          rdr pass on em0_vlan10 inet proto tcp from any to 10.10.10.1 port = https -> 127.0.0.1 port 8443
          

          But after reloading pfBlocker configuration, it reverts back to buggy NAT rule. Can you please check this behavior??

          1 Reply Last reply Reply Quote 0
          • BBcan177B
            BBcan177 Moderator
            last edited by

            In the DNSBL tab, there is a "Permit Firewall" rule option.

            Enable that and select the VLANS. Force Update.

            That will create a Floating Permit rule to allow those VLANS to hit the DNSBL VIP address.

            "Experience is something you don't get until just after you need it."

            Website: http://pfBlockerNG.com
            Twitter: @BBcan177  #pfBlockerNG
            Reddit: https://www.reddit.com/r/pfBlockerNG/new/

            1 Reply Last reply Reply Quote 0
            • V
              vpreatoni
              last edited by

              Already done that.

              pfb rule is created first as expected, and it gets matching traffic

              
              States	Protocol	Source	Port	Destination	Port	Gateway	Queue	Schedule	Description	Actions
              IPv4 *	*	*	10.10.10.1	*	*	none	 	pfB_DNSBL_Allow_access_to_VIP
              

              But as stated before, it does not set the Pass rule on the auto NAT port redirection rules, so it fails. Manually setting Pass in NAT rules makes it work.

              I'm happy to provide any pfctl output if it helps to fix this bug.

              Regards,
              Víctor

              1 Reply Last reply Reply Quote 0
              • BBcan177B
                BBcan177 Moderator
                last edited by

                I haven't seen anyone else complain about this issue before….

                But you can edit the following file:

                /usr/local/pkg/pfblockerng/pfblockerng.inc

                and change Line #793

                From:  'associated-rule-id' => '',
                  To:      'associated-rule-id' => 'pass',

                Reference link to code:
                https://github.com/pfsense/FreeBSD-ports/blob/devel/net/pfSense-pkg-pfBlockerNG/files/usr/local/pkg/pfblockerng/pfblockerng.inc#L793

                If others chime in to approve the change, I will make it official in the next release of the package…

                "Experience is something you don't get until just after you need it."

                Website: http://pfBlockerNG.com
                Twitter: @BBcan177  #pfBlockerNG
                Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                1 Reply Last reply Reply Quote 0
                • V
                  vpreatoni
                  last edited by

                  Cheers for that, will try it.

                  Maybe Velcro can confirm if editing NAT port forwarding rules fix it too.

                  1 Reply Last reply Reply Quote 0
                  • V
                    Velcro
                    last edited by

                    I think my situation is the same, I too saw the same firewall logs. I would be happy to test and see if “…editing NAT port forwarding rules fix it too...”. If you don’t mind walking me thru the specific steps I will try...I have never adjusted the Port Forward rules in NAT before(I assume you are referencing the “Port Forward” rules that are added for the DNSBL Listening interface in Firewall→NAT→Port Forward tab?).

                    BBcan177, definitely not complaining...you rock! I am in no position to complain about the work you do and the difference you make with pfBlocker.

                    I managed to get my VLANs capable of accessing the 10.10.10.1 pixel page by adding a rule onto my VLAN interfaces(see screen shot for example). I created this rule by adding and then modifying an “easy rule” based on what was being blocked in my firewall log.

                    My rules are fairly restrictive and made sure this “custom DNSBL rule” was placed below my “Allow DNS Access” and above my “Block access to firewall” rule.

                    Additional notes:

                    • I tried the “DNSBL Firewall Rule” again and removed my 'Custom DNSBL rule” but was unable to access the 10.10.10.1 pixel page.
                    • I no longer use OpenDNS (Using DNS resolver on pfSense)
                    • Using PIA as my VPN provider(no longer VyperVPN…)

                    I am still not sure my “custom rule” is the best solution or as you suggest, modifying a NAT rule is best...definitely willing to test. Thanks for asking...

                    pfBlockerVLANrule1.png
                    pfBlockerVLANrule1.png_thumb

                    1 Reply Last reply Reply Quote 0
                    • V
                      vpreatoni
                      last edited by

                      Hi Velcro,

                      Navigate tru Firewall->NAT-> and edit both pfB auto rules.

                      Now you have to change last option: Filter rule association from None to Pass (see first attachment).
                      When done, u should see like a Play icon next to each rule (see 2nd attach).

                      I that works for you too, I can guide u on how to edit source to make it permanent as BBcan explained. Otherwise, each time u reload pfBlocker, rules will revert back to None

                      pass.png
                      pass.png_thumb
                      pass1.png
                      pass1.png_thumb

                      1 Reply Last reply Reply Quote 0
                      • V
                        Velcro
                        last edited by

                        Awesome! Yes that allowed me to remove my "custom rule" -  Thank you!!

                        vpreatoni if I could ask for your help to make this permanent, I would really appreciate it.

                        BBcan177 this corrected my issue…I vote for the change, but are there downsides to changing for all?

                        _Note added later:

                        Just restarted my pfsense and returned to default._

                        1 Reply Last reply Reply Quote 0
                        • V
                          Velcro
                          last edited by

                          I thought I would jump in and try to change the code, here is what I did:

                          Diagnostics→ Edit File→ Browse(I didn't try but you might just be able to enter the path where it says: "Path to file to be edited")

                          →follow this path from BBcan:  /usr/local/pkg/pfblockerng/pfblockerng.inc

                          and change Line #793(enter this line on the top right of the GUI where its says "Go To Line#")

                          From:  'associated-rule-id'  => '',
                            To:      'associated-rule-id'  => 'pass'

                          Make sure to hit the "Save" icon.

                          Survived a reboot and all is working! Thank you both for your help…

                          My only questions are:

                          1. I do not have the  "DNSBL Firewall Rule" checked, yet everything appears to be working. My select VLANs, that I have pfBlocker running on are showing alerts. Is this just a "tweek" that is needed to get VLANs functioning?

                          2. BBcan you asked: "...If others chime in to approve the change, I will make it official in the next release of the package...". Does allowing a "Pass rule on the auto NAT port redirection rules" create any more exposure on pfSense?

                          Again thank you both...

                          Sean

                          1 Reply Last reply Reply Quote 0
                          • BBcan177B
                            BBcan177 Moderator
                            last edited by

                            Here is the PR to fix this bug… Thanks!

                            https://github.com/pfsense/FreeBSD-ports/pull/424/files

                            "Experience is something you don't get until just after you need it."

                            Website: http://pfBlockerNG.com
                            Twitter: @BBcan177  #pfBlockerNG
                            Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.