DNS Capture with an Exception
-
Greetings,
I am fairly new to PF Sense and I am running it in a school environment. I am using DNS resolver and a port forward intercept to force all users regardless of setting to use my DNS and we are filtering at the DNS level. I have the following rule:Interface: LAN
Protocol: TCP/UDP
Destination: Network 192.168.1.1/24 INVERTED MATCH
Destination Port: DNS
Redirect Target 127.0.0.1
Redirect Port: DNS
Nat Reflection: DisabledSo this works without an issue. No matter what the user sets their DNS to I intercept it and pass it through the filter. I have a few static addressed clients that I do not want filtered. I want to be able to bypass the above rule and send them on to the google dns at 8.8.8.8. No matter what I try I can get this action to work properly. If someone could please give me a little guidance on letting statically mapped and defined local machines ie 192.168.1.250 to bypass the above rule and proceed without DNS being intercepted. Thanks.
-
Create an Alias containing the IPs/Networks you want excluded.
Goto the Click "Advanced" next to source. For Source Check Invert match, select Single host or Alias, type/set the Alias name.
Save the rule.
-
Thanks, I am so use to writing an all inclusive rule and then writing exception rules above that rule to exclude things… I never though of the easy solution like that.
-
I made the changes you mentioned but I still can not get it to work. Right now it is bypassing all clients instead of just the alias. I can basically get it to filter all or bypass all. Perhaps I miss-understood something. Here is my rule as it sits now:
Interface: LAN
Protocol: TCP/UDP
Source: INVERT MATCH - Alias - bypassfilter
Source Port: DNSDestination: INVERT MATCH - Network - 192.168.1.1/24
Destination Port: DNS
Redirect Target: 127.0.0.1
Redirect Port: DNS
Nat Reflection: Use System Default -
The source port has to be "any", only dest port is "DNS".
-
The source port has to be "any", only dest port is "DNS".
This. Applications source ports are usually random ports. And are in the case of DNS.
Sorry I didn't mention that.