Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DHCP range blocked from access to WAN, but need open for a few sites

    Scheduled Pinned Locked Moved Firewalling
    5 Posts 2 Posters 4.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • OceanwatcherO
      Oceanwatcher
      last edited by

      First of all, I am not an English native speaker, so my searches might have been for the wrong words.

      I have been scratching my head, reading the manual, searching the forum. But no matter what I try, I can not get it to work the way I want.

      The hardware is a rack mount appliance from SuperMicro using Intel(R) Atom(TM) CPU C2758 @ 2.40GHz with 8 CPUs: 1 package(s) x 8 core(s) and running pfSense 2.3.2-RELEASE (amd64) built on Tue Jul 19 12:44:43 CDT 2016 FreeBSD 10.3-RELEASE-p5.

      The last rule I have before the "Default allow LAN to any" rule is a rule that blocks the DHCP range access to "any". It is the only way I have been able to get it working.

      But I need to let the computers in the DHCP range access a few specific servers on the internet. And I have a few "pass" rules at the very top of the list. But I am not able to get out.

      Rule:

      Action: Pass
      Interface: LAN
      Address family: IPv4
      Protocol: TCP/UDP
      Source LAN net
      Destination: Single host or alias –- Alias with only one FQDN (not IP address)
      Destination port range: any

      DNS forwarder is on, DNS resolver is off.

      I also have a different problem, but I suspect it is related - I can not reach the pfSense NTP server from computers on LAN.

      Do you spot any obvious problems in my setup?

      Regards,

      Oceanwatcher
      2x SuperMicro 8core w/ 8 GB RAM running v. 2.3.1 - will eventually set them up with failover

      1 Reply Last reply Reply Quote 0
      • KOMK
        KOM
        last edited by

        By default, all LAN clients have full access to everything.  You want DHCP users to only access specific sites?  Can you please provide a screenshot of your LAN rules?  You can embed images directly here in the forum without linking to an external site.  If the sites in question are large, CDN-hosted sites (think YouTube, Facebook, Microsoft etc) with many IP addresses for the one domain then you will have a problem with DNS since pfSense and the LAN client can have different ideas on the IP address for a domain.

        You could also accomplish the same task by using squid & squidguard for caching/URL filtering.

        1 Reply Last reply Reply Quote 0
        • OceanwatcherO
          Oceanwatcher
          last edited by

          Do you want a screenshot of all rules or just the ones in question? Or the list of rules?

          Regards,

          Oceanwatcher
          2x SuperMicro 8core w/ 8 GB RAM running v. 2.3.1 - will eventually set them up with failover

          1 Reply Last reply Reply Quote 0
          • OceanwatcherO
            Oceanwatcher
            last edited by

            And btw - the sites I want to open for is regarding software updates. Facebook etc are sites we want to block :-)

            The sites in question do change IP now and then, so it is not possible to use one IP address.

            Regards,

            Oceanwatcher
            2x SuperMicro 8core w/ 8 GB RAM running v. 2.3.1 - will eventually set them up with failover

            1 Reply Last reply Reply Quote 0
            • KOMK
              KOM
              last edited by

              Or the list of rules?

              The entire list, please.  As we like to say here, show us what you have done instead of telling us what you think you have done.

              The sites in question do change IP now and then

              It's not now & then, it's literally every time you resolve the FQDN.  The large sites have many IP addresses in a pool that get served in a round-robin fashion for load-balancing purposes.  That's why you will have a hard time blocking sites based on IP addresses unless you have a comprehensive list of those addresses. URL filtering via squid+squidguard may be a better way to go.  pfBlockerNG also does this I believe.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.