Allow WAN access to DNS



  • 2.3.2-RELEASE-p1 (amd64)

    I have a remote site who gets Internet connectivity and VoIP service from Verizon Wireless.  Its a metered wireless connection - each site gets 20GB/mo.  Some of the sites burn through the data in 2 weeks.  The locally installed Verizon 4G LTE broadband router (Novatel T1114) doesn't have whitelist MAC filtering on the physical ports - meaning I can't block all but allow just the few I want.  ?!  Anyway, I need to stop the extra curricular activity that is costing a small fortune per month in this region.  I've located an alternate 4G LTE broadband router and it should be arriving in about two weeks.  Wireless has been disabled, router password changed  Each property has two Ethernet devices: a POS computer and a Windows Surface tablet in Kiosk mode.

    So, for the interim, I know I can assign DNS servers to the existing Verizon gateway.  If I program the devices to do DNS lookups to my local pfSense, can I create a whitelist of sites that I approve?  Then if the site isn't approved, the DNS returns a 127.0.0.1 or whatever address?  Is my thinking flawed?  I don't think I'd be able to see the local MAC address of the device once it hits the pfSense but at least I'll be able to see the IP something is trying to go to.  Right?

    Any other/better ideas on a temp solution?

    Thanks



  • If I program the devices to do DNS lookups to my local pfSense, can I create a whitelist of sites that I approve?

    You could do this with squid + squidguard.  Configure squid in explicit (non-transparent) mode.  Cache can be minimal or null since you're just using it to filter.  Set the clients to use the proxy.  Configure squidguard with a whitelist and a default ACL set to deny all except the whitelist.  Delete the Default Allow LAN to Any rule on your LAN firewall rules.  Done.



  • You could do this with squid + squidguard.  Configure squid in explicit (non-transparent) mode.  Cache can be minimal or null since you're just using it to filter.  Set the clients to use the proxy.  Configure squidguard with a whitelist and a default ACL set to deny all except the whitelist.  Delete the Default Allow LAN to Any rule on your LAN firewall rules.  Done.

    can I have the users on my LAN not be affected by the squid non-transparent proxy (I'm trying to avoid noticed changes on my LAN)?  Can I have LAN use one DNS instance and then incoming WAN DNS lookups/squid assigned to another instance?

    thanks



  • can I have the users on my LAN not be affected by the squid non-transparent proxy

    What users?  I thought you had a PC-register and a tablet and that was it.  The proxy only affects web traffic, and you don't want them going anywhere except where you allow so I'm not sure what affect you're thinking of.

    Can I have LAN use one DNS instance and then incoming WAN DNS lookups/squid assigned to another instance?

    Eh?  You want a separate DNS for LAN and one for squid?  What problem would that solve?


Log in to reply