Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    SOLVED - PfBlockerNG DNSBL not blocking traffic on secondary LAN

    Scheduled Pinned Locked Moved pfBlockerNG
    5 Posts 5 Posters 4.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      toyinal
      last edited by

      Hi,

      I have a Lan segment 192.168.2.1/24 on separate router that is then linked to PFSense through the gateway 192.168.1.1/24. The other LAN is directly connected to the pfsense router on gateway 192.168.3.1/24 . PfblockerNG blocks traffic using DNSBL list on the 192.168.3.1/24 but will not block traffic on the secondary lan segment 192.168.2.1/24 . I have tried to play around on with the DNSBL Firewall rule with no success. Although I noticed that no floating firewall rule is created PFBlockerNG. I've setup PFBlocker to block both direction.

      Any help will be appreciated.

      Thanks

      1 Reply Last reply Reply Quote 0
      • RonpfSR
        RonpfS
        last edited by

        DNSBL change the DNS Resolver to block DNS FQDN, it redirect the block domain name to 10.10.10.1 and provide a 1x1 Gif instead of the web page of the blocked site.

        There is a component of DNSBL that will block IP contained in the DNSBL feeds, that's the only part that has to do with FW rules.

        For DNSBL to work, all clients on all networks have to point to the DNS Resolver of the pfsense with DNSBL.

        2.4.5-RELEASE-p1 (amd64)
        Intel Core2 Quad CPU Q8400 @ 2.66GHz 8GB
        Backup 0.5_5, Bandwidthd 0.7.4_4, Cron 0.3.7_5, pfBlockerNG-devel 3.0.0_16, Status_Traffic_Totals 2.3.1_1, System_Patches 1.2_5

        1 Reply Last reply Reply Quote 0
        • M
          Mr. Jingles
          last edited by

          @RonpfS:

          For DNSBL to work, all clients on all networks have to point to the DNS Resolver of the pfsense with DNSBL.

          I'm trying to figure out the sentence to google for that actually gives relevant results so I can figure out what to do, Ron  ;D

          I mean: how can I be sure/test my Windows, Linux and Android stuff do what you wrote above? Is it simply a case of DHCP an IP to all clients (including static P's), or is there more to be done (like disabling services on the clients, for example (?)).

          Thank you for any tips  :P

          6 and a half billion people know that they are stupid, agressive, lower life forms.

          1 Reply Last reply Reply Quote 0
          • T
            tonymorella
            last edited by

            @Mr.:

            @RonpfS:

            For DNSBL to work, all clients on all networks have to point to the DNS Resolver of the pfsense with DNSBL.

            I'm trying to figure out the sentence to google for that actually gives relevant results so I can figure out what to do, Ron  ;D

            I mean: how can I be sure/test my Windows, Linux and Android stuff do what you wrote above? Is it simply a case of DHCP an IP to all clients (including static P's), or is there more to be done (like disabling services on the clients, for example (?)).

            Thank you for any tips  :P

            Setup rules to redirect all DNS request to the local DNS

            • Firewall > NAT > Port Forward> Edit

            • Interface LAN

            • Protocal TCP/UDP

            • Click Invert match select LAN Address

            • Destination port range From Port DNS and to Port DNS

            • Redirect target IP 127.0.0.1

            • Redirect target port DNS

            • NAT reflection Use system default

            • Filter rule association Create new associated filter rule

            • Create rule that allows TCP/UDP from LAN net to  LAN address on port 53

            • Create rule that allows TCP/UDP from This Firewall to Any on port 53

            For example, if a device has 8.8.8.8 setup as its DNS server this rule says anything that is not the LAN address for the request to 127.0.0.1 from port 53 to port 53

            Tony

            1 Reply Last reply Reply Quote 0
            • M
              molykule
              last edited by

              @tonymorella:

              @Mr.:

              @RonpfS:

              For DNSBL to work, all clients on all networks have to point to the DNS Resolver of the pfsense with DNSBL.

              I'm trying to figure out the sentence to google for that actually gives relevant results so I can figure out what to do, Ron  ;D

              I mean: how can I be sure/test my Windows, Linux and Android stuff do what you wrote above? Is it simply a case of DHCP an IP to all clients (including static P's), or is there more to be done (like disabling services on the clients, for example (?)).

              Thank you for any tips  :P

              Setup rules to redirect all DNS request to the local DNS

              • Firewall > NAT > Port Forward> Edit

              • Interface LAN

              • Protocal TCP/UDP

              • Click Invert match select LAN Address

              • Destination port range From Port DNS and to Port DNS

              • Redirect target IP 127.0.0.1

              • Redirect target port DNS

              • NAT reflection Use system default

              • Filter rule association Create new associated filter rule

              • Create rule that allows TCP/UDP from LAN net to  LAN address on port 53

              • Create rule that allows TCP/UDP from This Firewall to Any on port 53

              For example, if a device has 8.8.8.8 setup as its DNS server this rule says anything that is not the LAN address for the request to 127.0.0.1 from port 53 to port 53

              Tony

              I am lost on last 2. Is the 2nd last one created under Firewall rules-lan
              and the last one is firewall  rules-floating,

              Thanks for sharing,
              regards,
              boatingdude

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.