Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Block all but allow DNS port 53

    Firewalling
    3
    6
    870
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      tyllee
      last edited by

      Hello, Could any one confirm my setup or is there something I've missed?

      Infrastructure
      LAN1
      LAN2
      LAN3
      LAN4
      Server1 (DNS port 53 at LAN1)
      PfSense (2.2.6 i386)
      Client1 (LAN2)

      This is what I want:
      Client1 (DNS request) –->LAN2 SWITCH--> PfSense --->LAN1 SWITCH----> Server1 (DNS port 53)

      Server1 (DNS answer) --->LAN1 SWITCH---->PfSense --->LAN2 SWITCH---->Client1 (DNS answer)

      Block ALL trafik from LAN2 to LAN3 and LAN4.
      I want to block all trafik from LAN2 to LAN1 but not DNS request to server1 at LAN1. Clients at LAN2 should get the DNS from Server1 and then connect to desired host at WAN.

      See attached pictures (FW_rules.jpg) for rule setup.

      How I get it to work:
      Client1 does not get DNS answer. But If I allow all traffic from LAN2 to LAN1 then it works.

      How should I proceed?
      FW_rule.jpg
      FW_rule.jpg_thumb

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        Is Client1 configured to use Server1 LAN1_IP as its DNS server?

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • T
          tyllee
          last edited by

          Yes, I can confirm that DNS is Server1 LAN1_IP. DNS is setup in LAN2 DHCP to be Server1 LAN1_IP.

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            Then it should be working.

            Can you confirm that that's actually the DNS server client1 is trying to use?

            Use dig/drill on Client1 to send DNS queries directly to the server.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • T
              tyllee
              last edited by

              Ok, thank you for your help! Then I know that the firewall setup is correct. Will troubleshoot at the client.

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                You mention server lan1_ip ??  Does this server have interfaces in more than just lan??  Its quite possible you have some sort of asynchronous routing issue if your using multihomed hosts??

                But yeah those rules are correct.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.