DDWRT script into Pfsense

coodem

I am try to setup the below instructions which are for DDWRT, as rules for my pfsense. Can anyone help me out?

1. Log in to your DD-WRT router and select Setup and then Basic Setup.

2. Scroll down to Network Address Server Settings (DHCP) and Enable DHCP.

3. Disable Use DNSMasq for DNS. Scroll down and Click on Apply Settings.

4. On your DD-WRT control panel, select ADMINISTRATION from the top right section. Then Select Commands from the tabs below.

5. Paste Followings to the Commands Shell > Commands section.

iptables -I PREROUTING -t nat -p udp --dport 53 -j DNAT --to-destination 23.21.43.50
iptables -I PREROUTING -t nat -p udp --dport 53 -j DNAT --to-destination 54.229.171.243
iptables -I PREROUTING -t nat -p tcp --dport 53 -j DNAT --to-destination 23.21.43.50
iptables -I PREROUTING -t nat -p tcp --dport 53 -j DNAT --to-destination 54.229.171.243

iptables -I FORWARD --destination 8.8.8.8 -j REJECT
iptables -I FORWARD --destination 8.8.4.4 -j REJECT

iptables -I FORWARD -d 37.77.176.0/255.255.240.0 -j REJECT
iptables -I FORWARD -d 108.175.32.0/255.255.240.0 -j REJECT
iptables -I FORWARD -d 198.38.96.0/255.255.224.0 -j REJECT
iptables -I FORWARD -d 198.45.48.0/255.255.240.0 -j REJECT
iptables -I FORWARD -d 185.2.220.0/255.255.252.0 -j REJECT
iptables -I FORWARD -d 23.246.0.0/255.255.192.0 -j REJECT
iptables -I FORWARD -d 37.77.184.0/255.255.248.0 -j REJECT​

Rico

So you want your Clients only using 23.21.43.50 and 54.229.171.243 and blocking any external DNS?
You can follow this guide: https://www.netgate.com/docs/pfsense/dns/blocking-dns-queries-to-external-resolvers.html

-Rico

coodem

Thank you for that. Getting closer bit by bit. Any idea what all this is doing? It may sound stupid,but following instructions from ddwrt forum and trying to apply to pf

I get the blocking Google dns
And only allowing certain DNS
But what is this achieving. I don't recognise those axdress's

iptables -I FORWARD -d 37.77.176.0/255.255.240.0 -j REJECT
iptables -I FORWARD -d 108.175.32.0/255.255.240.0 -j REJECT
iptables -I FORWARD -d 198.38.96.0/255.255.224.0 -j REJECT
iptables -I FORWARD -d 198.45.48.0/255.255.240.0 -j REJECT
iptables -I FORWARD -d 185.2.220.0/255.255.252.0 -j REJECT
iptables -I FORWARD -d 23.246.0.0/255.255.192.0 -j REJECT
iptables -I FORWARD -d 37.77.184.0/255.255.248.0 -j REJECT​

Rico

You can check these network blocks via ripe.net
If you really need them completely blocked or rejected just put them in some Alias in pfSense and setup another Firewall Rule.

-Rico

Rico

If you need DNS redirecting, e.g. because the DNS Servers are hardcoded in some application also check out https://www.netgate.com/docs/pfsense/dns/redirecting-all-dns-requests-to-pfsense.html

-Rico