SOLVED - PfBlockerNG DNSBL not blocking traffic on secondary LAN
-
Hi,
I have a Lan segment 192.168.2.1/24 on separate router that is then linked to PFSense through the gateway 192.168.1.1/24. The other LAN is directly connected to the pfsense router on gateway 192.168.3.1/24 . PfblockerNG blocks traffic using DNSBL list on the 192.168.3.1/24 but will not block traffic on the secondary lan segment 192.168.2.1/24 . I have tried to play around on with the DNSBL Firewall rule with no success. Although I noticed that no floating firewall rule is created PFBlockerNG. I've setup PFBlocker to block both direction.
Any help will be appreciated.
Thanks
-
DNSBL change the DNS Resolver to block DNS FQDN, it redirect the block domain name to 10.10.10.1 and provide a 1x1 Gif instead of the web page of the blocked site.
There is a component of DNSBL that will block IP contained in the DNSBL feeds, that's the only part that has to do with FW rules.
For DNSBL to work, all clients on all networks have to point to the DNS Resolver of the pfsense with DNSBL.
-
For DNSBL to work, all clients on all networks have to point to the DNS Resolver of the pfsense with DNSBL.
I'm trying to figure out the sentence to google for that actually gives relevant results so I can figure out what to do, Ron ;D
I mean: how can I be sure/test my Windows, Linux and Android stuff do what you wrote above? Is it simply a case of DHCP an IP to all clients (including static P's), or is there more to be done (like disabling services on the clients, for example (?)).
Thank you for any tips :P
-
@Mr.:
For DNSBL to work, all clients on all networks have to point to the DNS Resolver of the pfsense with DNSBL.
I'm trying to figure out the sentence to google for that actually gives relevant results so I can figure out what to do, Ron ;D
I mean: how can I be sure/test my Windows, Linux and Android stuff do what you wrote above? Is it simply a case of DHCP an IP to all clients (including static P's), or is there more to be done (like disabling services on the clients, for example (?)).
Thank you for any tips :P
Setup rules to redirect all DNS request to the local DNS
-
Firewall > NAT > Port Forward> Edit
-
Interface LAN
-
Protocal TCP/UDP
-
Click Invert match select LAN Address
-
Destination port range From Port DNS and to Port DNS
-
Redirect target IP 127.0.0.1
-
Redirect target port DNS
-
NAT reflection Use system default
-
Filter rule association Create new associated filter rule
-
Create rule that allows TCP/UDP from LAN net to LAN address on port 53
-
Create rule that allows TCP/UDP from This Firewall to Any on port 53
For example, if a device has 8.8.8.8 setup as its DNS server this rule says anything that is not the LAN address for the request to 127.0.0.1 from port 53 to port 53
Tony
-
-
@Mr.:
For DNSBL to work, all clients on all networks have to point to the DNS Resolver of the pfsense with DNSBL.
I'm trying to figure out the sentence to google for that actually gives relevant results so I can figure out what to do, Ron ;D
I mean: how can I be sure/test my Windows, Linux and Android stuff do what you wrote above? Is it simply a case of DHCP an IP to all clients (including static P's), or is there more to be done (like disabling services on the clients, for example (?)).
Thank you for any tips :P
Setup rules to redirect all DNS request to the local DNS
-
Firewall > NAT > Port Forward> Edit
-
Interface LAN
-
Protocal TCP/UDP
-
Click Invert match select LAN Address
-
Destination port range From Port DNS and to Port DNS
-
Redirect target IP 127.0.0.1
-
Redirect target port DNS
-
NAT reflection Use system default
-
Filter rule association Create new associated filter rule
-
Create rule that allows TCP/UDP from LAN net to LAN address on port 53
-
Create rule that allows TCP/UDP from This Firewall to Any on port 53
For example, if a device has 8.8.8.8 setup as its DNS server this rule says anything that is not the LAN address for the request to 127.0.0.1 from port 53 to port 53
Tony
I am lost on last 2. Is the 2nd last one created under Firewall rules-lan
and the last one is firewall rules-floating,Thanks for sharing,
regards,
boatingdude -
