Can pfSense do this better than a Edgerouter

nickehallgren · Jun 19, 2021, 8:14 AM

Hi everyone,

I am a total newbie to pfSense but I've read some of the documentation but I'm still unsure if pfSense can make my work easier. If the below problems/challenges can be solved with pfSense I am ready to replace the Edgerouter.

To make a long story short, I have a Edgerouter in a university department that routes and firewalls 5 vlans from the rest of the university network. Some of the vlans are totally blocked from accessing anything outside the vlan others have some access to the outside.

The problems I am facing are two, I need to enable traffic for using Adobe products to one of the vlans and also access other servers in the university network like DNS, samba etc etc.

I now have a whitelist of domain names that I run every hour (on the Edgerouter) to convert them to IPs for the firewall. That works great but some of the domain names are wildcards and that doesn't work of course. At the moment I am doing tcpdumps every now and then to find out what domain names are required and updating the whitelist manually. Can this be done easier with pfSense?

The other problem is the fact that some cloud services (for example fonts.googleapis.com) are randomly changing IPs (load balancing). Meaning that the IP open in the firewall might not match the IP the DNS sends to the client 30 seconds later. This results in long loading times for users until the loading of the font times out. Is this solvable with pfSense?

Thanks in advance!
Regards,
Nicke

NollipfSense · Jun 19, 2021, 5:08 PM

@nickehallgren What you have described can be resolved with pfSense along with pfBlockerNG-Devel package.

nickehallgren · Jun 19, 2021, 6:01 PM

@nollipfsense Sounds great, got any links to examples/tutorials on this subject?

DaddyGo · Jun 19, 2021, 6:13 PM

@nickehallgren said in Can pfSense do this better than a Edgerouter:

got any links to examples/tutorials on this subject?

Hi,

Although it's pretty broad, We'll start here and help you if you get stuck

https://docs.netgate.com/pfsense/en/latest/

and pfBlockerNG

https://www.vikash.nl/setup-pfblockerng-python-mode-with-pfsense/

nickehallgren · Jun 19, 2021, 8:13 PM

@daddygo Thank you, I'll read up and setup a machine to play around. I'm sure I'll need some advice later on. Thanks for fast and informative answers.

nickehallgren · Aug 13, 2021, 8:09 AM

Ok, so now I have pfsense up and running with multiple vlans. Everything works perfectly so now I installed pfblockerng-devel and added a vlan for testing. In this vlan I want to only allow access to a few ip ranges and some domains. The domains are wildcard domains aswell as domains that have multiple ips (that changes alot) like fonts.googleapis.com.

I read https://www.vikash.nl/setup-pfblockerng-python-mode-with-pfsense/ and many other guides for pfblockerng but they they all feel like overkill for what I need.

The problem is the wildcard domains as they do not work in aliases and then the fast changing ip:s for other domains. Any suggestions on how to do this?

stephenw10 · Aug 13, 2021, 5:43 PM

Unless you use DNS based filtering pfSense is a layer 3 filter. It filters based on IPs.

So you need to convert those into IP lists which is what pfBlocker can help with. It will create aliases from IP lists pulled remotely or ASNs. You can then use those aliases in firewall rules to block or allow traffic as required.

Steve

nickehallgren · Aug 13, 2021, 7:28 PM

@stephenw10 yes that I understand, but all examples I found are for blocking domains.

The idea I have is to block all access from the vlan with a fw rule, and allow with PFblocker (with floating rules) is that even possible? And how would that be done?

ahking19 · Aug 13, 2021, 8:28 PM

@nickehallgren take a look at aliases under Firewall menu.
You can reference aliases in firewall rules.
https://docs.netgate.com/pfsense/en/latest/firewall/aliases.html

stephenw10 · Aug 14, 2021, 6:31 AM

You can block it allow whatever you can create aliases for you just need the rules in the correct order.

nickehallgren · Aug 14, 2021, 6:39 AM

@stephenw10 ok, I must be missing something as I just don't understand.

I know how aliases work, I use them a lot in my fw rules. I'll try to rephrase.

I have a vlan (testing):

I now have one rule that is blocking everything (and if I understand correctly that is the default behavior so I would not need it).
Now I want to allow destionations to 193.166.31.0/24 (just an example) and I place it before the block rule.

This is where the problems start, I have for example fonts.googleapis.com that I can add to an alias but I know it won't work for long. In a few seconds the clients get another ip than the one the alias is pointing to. How do I make this work every time for the clients?

Next, I'll need to allow access to Adobe servers (only listing a few): (hmm, can post the urls as code as it tells me the post is spam but there are stars before .license, after -web-prod- before .elbs.amazonaws and before and after s3 in the last line)

.licenses.adobe.com
gocart-web-prod-.elb.amazonaws.com
s3.amazonaws.com

these can't be done with aliases, so how can I fix this?

Yes, people say that I should use pfBlockerNG but can some one explain how that is achived. I have now setup pfBlockerNG as in this guide all the way to "Enable some IP feeds" (skipped MaxMind GeoIP as I don't need it). As I only want to allow a few addresses this seems totally useless, or?

Can someone explain in more steps how this is done, as I do not seem to understand from the guides/links I found.

Thanks in advance!

johnpoz · Aug 14, 2021, 6:42 PM

@nickehallgren said in Can pfSense do this better than a Edgerouter:

In a few seconds the clients get another ip than the one the alias is pointing to.

How is that? They should be using pfsense for dns, which would mean they would get what pfsense has for that fqdn in its cache.. Which should in theory match up with what is in the alias. Now sure if alias is only updated every 5 minutes, and ttl of said record is less than 5 minutes you could run into an out of sync condition.

But yes if your going to point clients to something other than pfsense for dns, those differences could be exaggerated

Your * star entries are wildcards - you can do that with pfblocker.. use of TLD feature where you can block or allow subdomains.

stephenw10 · Aug 14, 2021, 3:46 PM

If you're filtering using DNS in pfBlocker (or directly in Unbound) this is all much easier because you can just use domains etc directly.
To filter by IP using firewall rules you need to have pfBlocker create aliases to use. To do that you need to have a 'feed' that contains updating lists for the IPs you need and that is the difficult part.
pfBlocker can create aliases from ASNs which is usually 'good enough' to make Netflix oir Facebook unusable. Some companies maintain their own lists for exactly this like Cloudflare. Much easier in that case.

Steve

nickehallgren · Aug 14, 2021, 6:42 PM

@johnpoz I'm forcing all clients to use unbound with port forwarding the DNS port as in this guide. I must investigate this a bit more when I am in the office on Monday. I'll take a look at the TLD feature too, thanks!

nickehallgren · Aug 14, 2021, 6:45 PM

@stephenw10 I am using unbound, did you mean using TLD as @johnpoz mentioned above?

stephenw10 · Aug 15, 2021, 4:00 PM

Yes, if you're filtering by DNS you can use the TLD feature in pfBlocker/DNS-BL to catch wildcard type requests like that.

nickehallgren · Aug 16, 2021, 1:47 PM

@stephenw10 Ok, so I now tried to block one domain (yahoo.com) under DNSBL->DNSBL Groups->Add->Action Unbound->DNSBL Custom_list->yahoo.com->Save

and that works. But now I noticed that it blocks yahoo.com on all vlans... I googled around and found that I should add some custom options under DNS Resolver. I've tried this but it didn't make any difference (also tried a version with the include as last under view dnsbl).

server:
    access-control-view: 10.0.1.0/24 bypass
    access-control-view: 10.0.10.0/24 bypass
    access-control-view: 10.0.20.0/24 bypass
    access-control-view: 10.0.30.0/24 bypass
    access-control-view: 10.0.40.0/24 bypass
    access-control-view: 10.0.100.0/24 bypass
    access-control-view: 10.0.101.0/24 dnsbl
    include: /var/unbound/pfb_dnsbl.*conf
view:
    name: "bypass"
    view-first: yes
view:
    name: "dnsbl"
    view-first: yes

I only want dnsblocker to be active on the 101 net, before I can continue to test the setup

stephenw10 · Aug 16, 2021, 4:15 PM

You might find it easier to not use Unbound at all on the other interfaces. You can pass external DNS servers via DHCP there or run DNSMasq on a different port for use port forwards on those interfaces. Or the opposite on the 101 VLAN.

It should be possible to do it using views in Unbound though.

Steve

nickehallgren · Aug 16, 2021, 6:45 PM

@stephenw10 Ok, the views solution would have been easier but I'll try that, thank you!

stephenw10 · Aug 17, 2021, 5:22 AM

You can use views. You need to move the dns-bl include to the dnsbl view so, something like:

server:
    access-control-view: 10.0.1.0/24 bypass
    access-control-view: 10.0.10.0/24 bypass
    access-control-view: 10.0.20.0/24 bypass
    access-control-view: 10.0.30.0/24 bypass
    access-control-view: 10.0.40.0/24 bypass
    access-control-view: 10.0.100.0/24 bypass
    access-control-view: 10.0.101.0/24 dnsbl

view:
    name: "bypass"
    view-first: yes
view:
    name: "dnsbl"
    view-first: yes
    include: /var/unbound/pfb_dnsbl.*conf

There are a few threads on setting this sort of thing up.

Steve