DNSBL clinets via IPsec VPN

BBcan177

Goto the DNSBL tab, and add the IPsec interface to the "DNSBL Firewall Rule" option. This will create a floating permit rule to allow that IPsec subnet to access the DNSBL VIP address.

SenseRider

Hi BBcan177, thank you for your suggestion, however I already did that, in "DNSBL Firewall Rule" the checkbox is checked and LAN + IPsec are selected, however I cannot find the floating permit rule.

The only floating rule defined (pfB_DNSBL_Allow_access_to_VIP) is:

Protocol: IPV4
Source: *
Port: *
Destination: 10.10.10.1
Port: *
Gateway: *

In IPsec firewall rules I have a allow all (IPV4 and all *) that I created (before using pfBlocker) to allow site to site traffic.

What kind of rule should be created?

Please note that remote site PCs can access VIP using port 8081 (see first post), the problem is accessing VIP when NATted to 127.0.0.1 and works when NATted to psSense LAN IP.

Thank you.

SenseRider

SenseRider

I'm still trying to get this work with no success :'(

I'm using (now) latest pfSense:
2.3.2-RELEASE-p1 (amd64)
built on Tue Sep 27 12:13:07 CDT 2016
FreeBSD 10.3-RELEASE-p9

I've tryed to "add the IPsec interface to the "DNSBL Firewall Rule" option" with no difference, in fact, adding any interface in addition to LAN does not change any firewall rule (floating or not floating). Regardeless of what is selected (in addition to LAN) there a single floating rule (pass anything from 10.10.10.1) is added. Is this normal/by design?

As last resort, is there any way/hack to chenge the NAT rule that pfBlockerNG creates to use pfSense LAN IP address instead of 127.0.0.1?
this would fix my problem, at least until a proper solution is found.

Thank you for any hint.

SenseRider

doktornotor

@SenseRider:

Regardeless of what is selected (in addition to LAN) there a single floating rule (pass anything from 10.10.10.1) is added. Is this normal/by design?

You need to look inside the floating rule for what interfaces are selected, there's not supposed to be more than one rule there.

SenseRider

Ops! True, it does change the rule, however, remote clients still cannot connect to 10.10.10.1:80 but can connect to 10.10.10.1:8081.

If I enable logging of IPsec traffic from IPsec firewall rule (I created in Fireall - Rules - IPsec, to allow/pass all IPV4), when trying to connect to 10.10.10.1:80 from remote IPsec client PC I do get the pass traffic in the System Log/Firewall log from rempote PC IP address to 10.10.10.1:8081 (so NAT worked and is PASSed by firewall).

It seems that the response is not correctly routed, however I cannot find any blocked traffic despite I have log enabled in all blocked rules.

Something strange (for me at least) is that from pfSense ssh console I cannot ping remote PC IP address using a "normal" ping (no additional options), I can ping with "-S <pfsense lan="" ip="" address="">" option. Maybe this can give some hint?

Thank you.

SenseRider</pfsense>

RonpfS

Look at the NAT rules, it only forwards VIP:80 and VIP:443

DNSBLNAT.JPG_thumb

SenseRider

@RonpfS:

Look at the NAT rules, it only forwards VIP:80 and VIP:443

Yes, thet's correct, exactly as your picture.

In fact that's is proven working by:
@SenseRider:

If I enable logging of IPsec traffic from IPsec firewall rule (I created in Fireall - Rules - IPsec, to allow/pass all IPV4), when trying to connect to 10.10.10.1:80 from remote IPsec client PC I do get the pass traffic in the System Log/Firewall log from rempote PC IP address to 10.10.10.1:8081 (so NAT worked and is PASSed by firewall).

SenseRider

SenseRider

I think the problem is the way IPsec handles routing that is performed before it reach the standard pfSense routing and is based on the source address.
In my case the response from the web server has 127.0.0.1 source address so is routed to the default gateway.

I thnk the only way to get this working is to chenge the source address of the response and this can be achived changing the NAT address from 127.0.0.1 to LAN IP address.
Any hack availabel for doing that?

SenseRider

SenseRider

OK, i finally found a workaround and is very simple :D

All I had to do was adding two new NAT/PAT 1:1 on top/before the NAT/PAT created by DNSBL but NATting 10.10.10.1:80 to <lan ip="">:8081 and 10.10.10.1:443 to <lan ip="">:8443, this way "my" NAT is performed before the DNSBL created NAT that is now ignored.

I believe this is the only way to get DNSBL working from remote PCs connected via IPsec.

SenseRider</lan></lan>

BBcan177

Hi,

I don't have your environment to test, but I do have some changes to the Lighttpd web server configuration to listen on 10.10.10.1 (For DNS requests made from pfSense itself) and log those blocked domains… Not sure if this will help your situation or not?

Save to [ /var/unbound/pfb_dnsbl_lighty.conf ]


#
#pfBlockerNG Lighttpd DNSBL configuration file
#
server.bind                     = "0.0.0.0"
server.port                     = "8081"
server.event-handler            = "freebsd-kqueue"
server.network-backend          = "freebsd-sendfile"
server.dir-listing              = "disable"
server.document-root            = "/usr/local/www/pfblockerng/www/"
server.errorlog                 = "/var/log/pfblockerng/dnsbl_error.log"
server.pid-file                 = "/var/run/dnsbl.pid"
server.modules                  = ( "mod_access", "mod_fastcgi", "mod_rewrite" )

server.indexfiles               = ( "index.php" )
mimetype.assign                 = ( ".html" => "text/html", ".gif" => "image/gif" )
url.access-deny                 = ( "~", ".inc" )
fastcgi.server                  = ( ".php" => ( "localhost" => ( "socket" => "/var/run/php-fpm.socket", "broken-scriptfilename" => "enable" ) ) )

debug.log-condition-handling    = "enable"

$HTTP["host"] =~ ".*" {
        url.rewrite-once = ( ".*" => "index.php" )
}

$SERVER["socket"] == "10.10.10.1:80" {
        $HTTP["host"] =~ ".*" {
                url.rewrite-once = ( ".*" => "index.php" )
        }
}

$SERVER["socket"] == "0.0.0.0:8443" {
        ssl.engine              = "enable"
        ssl.pemfile             = "/var/unbound/dnsbl_cert.pem"
        ssl.use-sslv2           = "disable"
        ssl.use-sslv3           = "disable"
        ssl.honor-cipher-order  = "enable"
        ssl.cipher-list         = "AES128+EECDH:AES256+EECDH:AES128+EDH:AES256+EDH:AES128-SHA:AES256-SHA:!aNULL:!eNULL:!DSS"

        $HTTP["host"] =~ ".*" {
                url.rewrite-once = ( ".*" => "index.php" )
        }
}

$SERVER["socket"] == "10.10.10.1:443" {
        ssl.engine              = "enable"
        ssl.pemfile             = "/var/unbound/dnsbl_cert.pem"
        ssl.use-sslv2           = "disable"
        ssl.use-sslv3           = "disable"
        ssl.honor-cipher-order  = "enable"
        ssl.cipher-list         = "AES128+EECDH:AES256+EECDH:AES128+EDH:AES256+EDH:AES128-SHA:AES256-SHA:!aNULL:!eNULL:!DSS"

        $HTTP["host"] =~ ".*" {
                url.rewrite-once = ( ".*" => "index.php" )
        }
}

then:

/usr/local/etc/rc.d/dnsbl.sh restart

Note: The NAT address of 127.0.0.1, is defined here:

/usr/local/pkg/pfblockerng/pfblockerng.inc

https://github.com/pfsense/FreeBSD-ports/blob/devel/net/pfSense-pkg-pfBlockerNG/files/usr/local/pkg/pfblockerng/pfblockerng.inc#L791