DNSBL clinets via IPsec VPN



  • I'm having troubles in getting DNSBL work in client PCs connected via ipsec.

    I have a Windows DC that is providing DNS to all client PCs, so I configured DNS resolver in psSense and the Windows DNS forward DNS request to psSense and this is working fine and in all the PCs connected to local network (LAN) DNSBL woks fine, blocked domains are resolved to 10.10.10.1 and http/https are properly redirected.
    So far..so good :)

    I also have a site to site IPsec VPN to a remote office with a couple PCs that connected to the Windows domain and use the Windows DNS server in main office.
    From these remote PCs blocked domains are properly resolved to 10.10.10.1, if I try (as a test) to browse to http://10.10.10.1:8081/test.html it works fine (I get the 1x1 pic), but http://10.10.10.1/test.html cannot connect.
    Nothing is blocked by the firewall (all block rules have log enabled) and if I enable logging in the pass rule for the ipsec traffic I see that the http (80) request is passed to 127.0.0.1 but still the client cannot connect.

    I then tried to change the NAT created by pdBlocker DNSBL that translate 10.10.10.1:8081 to 127.0.0.1:80 to point (instead 127.0.0.1) to the LAN IP address of pfSense and…it worked!

    Of course this is not a solution, that NAT rule is recreated every time pfBlockerNG udates.

    What could it be that block connections from remote ipsec network?
    As last chance, would it be possible to change the NAT rule that pfBlockerNG creates to use pfSense LAN IP address instead of 127.0.0.1?

    Thank you in advance for any hint.

    SenseRider


  • Moderator

    Goto the DNSBL tab, and add the IPsec interface to the "DNSBL Firewall Rule" option. This will create a floating permit rule to allow that IPsec subnet to access the DNSBL VIP address.



  • Hi BBcan177, thank you for your suggestion, however I already did that, in "DNSBL Firewall Rule" the checkbox is checked and LAN + IPsec are selected, however I cannot find the floating permit rule.

    The only floating rule defined (pfB_DNSBL_Allow_access_to_VIP) is:

    Protocol: IPV4
    Source: *
    Port: *
    Destination: 10.10.10.1
    Port: *
    Gateway: *

    In IPsec firewall rules I have a allow all (IPV4 and all *) that I created (before using pfBlocker) to allow site to site traffic.

    What kind of rule should be created?

    Please note that remote site PCs can access VIP using port 8081 (see first post), the problem is accessing VIP when NATted to 127.0.0.1 and works when NATted to psSense LAN IP.

    Thank you.

    SenseRider



  • I'm still trying to get this work with no success  :'(

    I'm using (now) latest pfSense:
    2.3.2-RELEASE-p1 (amd64)
    built on Tue Sep 27 12:13:07 CDT 2016
    FreeBSD 10.3-RELEASE-p9

    I've tryed to "add the IPsec interface to the "DNSBL Firewall Rule" option" with no difference, in fact, adding any interface in addition to LAN does not change any firewall rule (floating or not floating). Regardeless of what is selected (in addition to LAN) there a single floating rule (pass anything from 10.10.10.1) is added. Is this normal/by design?

    As last resort, is there any way/hack to chenge the NAT rule that pfBlockerNG creates to use pfSense LAN IP address instead of 127.0.0.1?
    this would fix my problem, at least until a proper solution is found.

    Thank you for any hint.

    SenseRider


  • Banned

    @SenseRider:

    Regardeless of what is selected (in addition to LAN) there a single floating rule (pass anything from 10.10.10.1) is added. Is this normal/by design?

    You need to look inside the floating rule for what interfaces are selected, there's not supposed to be more than one rule there.



  • Ops! True, it does change the rule, however, remote clients still cannot connect to 10.10.10.1:80 but can connect to 10.10.10.1:8081.

    If I enable logging of IPsec traffic from IPsec firewall rule (I created in Fireall - Rules - IPsec, to allow/pass all IPV4), when trying to connect to 10.10.10.1:80 from remote IPsec client PC I do get the pass traffic in the System Log/Firewall log from rempote PC IP address to 10.10.10.1:8081 (so NAT worked and is PASSed by firewall).

    It seems that the response is not correctly routed, however I cannot find any blocked traffic despite I have log enabled in all blocked rules.

    Something strange (for me at least) is that from pfSense ssh console I cannot ping remote PC IP address using a "normal" ping (no additional options), I can ping with "-S <pfsense lan="" ip="" address="">" option. Maybe this can give some hint?

    Thank you.

    SenseRider</pfsense>



  • Look at the NAT rules, it only forwards VIP:80 and VIP:443




  • @RonpfS:

    Look at the NAT rules, it only forwards VIP:80 and VIP:443

    Yes, thet's correct, exactly as your picture.

    In fact that's is proven working by:
    @SenseRider:

    If I enable logging of IPsec traffic from IPsec firewall rule (I created in Fireall - Rules - IPsec, to allow/pass all IPV4), when trying to connect to 10.10.10.1:80 from remote IPsec client PC I do get the pass traffic in the System Log/Firewall log from rempote PC IP address to 10.10.10.1:8081 (so NAT worked and is PASSed by firewall).

    SenseRider



  • I think the problem is the way IPsec handles routing that is performed before it reach the standard pfSense routing and is based on the source address.
    In my case the response from the web server has 127.0.0.1 source address so is routed to the default gateway.

    I thnk the only way to get this working is to chenge the source address of the response and this can be achived changing the NAT address from 127.0.0.1 to LAN IP address.
    Any hack availabel for doing that?

    SenseRider



  • OK, i finally found a workaround and is very simple  :D

    All I had to do was adding two new NAT/PAT 1:1 on top/before the NAT/PAT created by DNSBL but NATting 10.10.10.1:80 to <lan ip="">:8081 and 10.10.10.1:443 to <lan ip="">:8443, this way "my" NAT is performed before the DNSBL created NAT that is now ignored.

    I believe this is the only way to get DNSBL working from remote PCs connected via IPsec.

    SenseRider</lan></lan>


  • Moderator

    Hi,

    I don't have your environment to test, but I do have some changes to the Lighttpd web server configuration to listen on 10.10.10.1 (For DNS requests made from pfSense itself) and log those blocked domains… Not sure if this will help your situation or not?

    Save to  [  /var/unbound/pfb_dnsbl_lighty.conf  ]

    
    #
    #pfBlockerNG Lighttpd DNSBL configuration file
    #
    server.bind                     = "0.0.0.0"
    server.port                     = "8081"
    server.event-handler            = "freebsd-kqueue"
    server.network-backend          = "freebsd-sendfile"
    server.dir-listing              = "disable"
    server.document-root            = "/usr/local/www/pfblockerng/www/"
    server.errorlog                 = "/var/log/pfblockerng/dnsbl_error.log"
    server.pid-file                 = "/var/run/dnsbl.pid"
    server.modules                  = ( "mod_access", "mod_fastcgi", "mod_rewrite" )
    
    server.indexfiles               = ( "index.php" )
    mimetype.assign                 = ( ".html" => "text/html", ".gif" => "image/gif" )
    url.access-deny                 = ( "~", ".inc" )
    fastcgi.server                  = ( ".php" => ( "localhost" => ( "socket" => "/var/run/php-fpm.socket", "broken-scriptfilename" => "enable" ) ) )
    
    debug.log-condition-handling    = "enable"
    
    $HTTP["host"] =~ ".*" {
            url.rewrite-once = ( ".*" => "index.php" )
    }
    
    $SERVER["socket"] == "10.10.10.1:80" {
            $HTTP["host"] =~ ".*" {
                    url.rewrite-once = ( ".*" => "index.php" )
            }
    }
    
    $SERVER["socket"] == "0.0.0.0:8443" {
            ssl.engine              = "enable"
            ssl.pemfile             = "/var/unbound/dnsbl_cert.pem"
            ssl.use-sslv2           = "disable"
            ssl.use-sslv3           = "disable"
            ssl.honor-cipher-order  = "enable"
            ssl.cipher-list         = "AES128+EECDH:AES256+EECDH:AES128+EDH:AES256+EDH:AES128-SHA:AES256-SHA:!aNULL:!eNULL:!DSS"
    
            $HTTP["host"] =~ ".*" {
                    url.rewrite-once = ( ".*" => "index.php" )
            }
    }
    
    $SERVER["socket"] == "10.10.10.1:443" {
            ssl.engine              = "enable"
            ssl.pemfile             = "/var/unbound/dnsbl_cert.pem"
            ssl.use-sslv2           = "disable"
            ssl.use-sslv3           = "disable"
            ssl.honor-cipher-order  = "enable"
            ssl.cipher-list         = "AES128+EECDH:AES256+EECDH:AES128+EDH:AES256+EDH:AES128-SHA:AES256-SHA:!aNULL:!eNULL:!DSS"
    
            $HTTP["host"] =~ ".*" {
                    url.rewrite-once = ( ".*" => "index.php" )
            }
    }
    
    

    then:

    /usr/local/etc/rc.d/dnsbl.sh restart
    

    Note: The NAT address of 127.0.0.1, is defined here:

    /usr/local/pkg/pfblockerng/pfblockerng.inc

    https://github.com/pfsense/FreeBSD-ports/blob/devel/net/pfSense-pkg-pfBlockerNG/files/usr/local/pkg/pfblockerng/pfblockerng.inc#L791