DHCP range blocked from access to WAN, but need open for a few sites

  • First of all, I am not an English native speaker, so my searches might have been for the wrong words.

    I have been scratching my head, reading the manual, searching the forum. But no matter what I try, I can not get it to work the way I want.

    The hardware is a rack mount appliance from SuperMicro using Intel(R) Atom(TM) CPU C2758 @ 2.40GHz with 8 CPUs: 1 package(s) x 8 core(s) and running pfSense 2.3.2-RELEASE (amd64) built on Tue Jul 19 12:44:43 CDT 2016 FreeBSD 10.3-RELEASE-p5.

    The last rule I have before the "Default allow LAN to any" rule is a rule that blocks the DHCP range access to "any". It is the only way I have been able to get it working.

    But I need to let the computers in the DHCP range access a few specific servers on the internet. And I have a few "pass" rules at the very top of the list. But I am not able to get out.


    Action: Pass
    Interface: LAN
    Address family: IPv4
    Protocol: TCP/UDP
    Source LAN net
    Destination: Single host or alias –- Alias with only one FQDN (not IP address)
    Destination port range: any

    DNS forwarder is on, DNS resolver is off.

    I also have a different problem, but I suspect it is related - I can not reach the pfSense NTP server from computers on LAN.

    Do you spot any obvious problems in my setup?

  • By default, all LAN clients have full access to everything.  You want DHCP users to only access specific sites?  Can you please provide a screenshot of your LAN rules?  You can embed images directly here in the forum without linking to an external site.  If the sites in question are large, CDN-hosted sites (think YouTube, Facebook, Microsoft etc) with many IP addresses for the one domain then you will have a problem with DNS since pfSense and the LAN client can have different ideas on the IP address for a domain.

    You could also accomplish the same task by using squid & squidguard for caching/URL filtering.

  • Do you want a screenshot of all rules or just the ones in question? Or the list of rules?

  • And btw - the sites I want to open for is regarding software updates. Facebook etc are sites we want to block :-)

    The sites in question do change IP now and then, so it is not possible to use one IP address.

  • Or the list of rules?

    The entire list, please.  As we like to say here, show us what you have done instead of telling us what you think you have done.

    The sites in question do change IP now and then

    It's not now & then, it's literally every time you resolve the FQDN.  The large sites have many IP addresses in a pool that get served in a round-robin fashion for load-balancing purposes.  That's why you will have a hard time blocking sites based on IP addresses unless you have a comprehensive list of those addresses. URL filtering via squid+squidguard may be a better way to go.  pfBlockerNG also does this I believe.

Log in to reply