Rule created after reload
-
Hi All,
pfBlockerNG is doing a great job and the problem I'm having is without a doubt some misconfiguration on my part.
Each time pfBlockerNG reloads the DNSBL feeds it auto creates:LAN TCP * * 10.10.10.1 80 (HTTP) 127.0.0.1 8081 pfB DNSBL - DO NOT EDIT
LAN TCP * * 10.10.10.1 443 (HTTPS) 127.0.0.1 8443 pfB DNSBL - DO NOT EDITAfter the reload / auto-rule the vip 10.10.10.1 is no longer accessible and timeout hell opens up.
I found that manually changing the rules resolves my problem:LAN TCP * * 10.10.10.1 80 (HTTP) 10.10.10.1 8081 pfB DNSBL - DO NOT EDIT
LAN TCP * * 10.10.10.1 443 (HTTPS) 10.10.10.1 8443 pfB DNSBL - DO NOT EDITWhere should I start looking or even better: what am I doing wrong?
Thanks!
Wowbagger -
Those are the NAT Rules created to forward HTTP/S request to pfBlockerNG DNSBL Web server
In DNSBL / DNSBL Configuration tab, did you enable DNSBL Firewall Rule?
If so look on the Firewall / Rules / Floating tab to see if the rules is created and it's placement :IPv4 * * * 10.10.10.1 * * none pfB_DNSBL_PermitCan you ping 10.10.10.1 ?
When you open http://10.10.10.1, do you get a 1x1 GIF ? -
Thanks for your reply!
In DNSBL / DNSBL Configuration tab, did you enable DNSBL Firewall Rule?
Yes, it's checked.
If so look on the Firewall / Rules / Floating tab to see if the rules is created and it's placement :
I deleted it and the update re-created it. It sits at the bottom of the Rules / Floating table :
IPv4+6 TCP/UDP WAN net * * 3000 (HBCI) * none Disable pftopng IPv4+6 TCP/UDP WAN net * WAN address 9443 * none Disable pfsense gui IPv4 * * * 10.10.10.1 * * none pfB_DNSBL_Allow_access_to_VIPCan you ping 10.10.10.1 ?
When you open http://10.10.10.1, do you get a 1x1 GIF ?Yes. Without manually changing the rule I can ping 10.10.10.1 and get http/s on 10.10.10.1:8081/8443 from a LAN client.
Doing an nslookup for a blocked domain on a LAN client correctly returns 10.10.10.1 and netstat -an on pfsense shows it's listening on *:8081 and *:8443. Browsing to a blocked domain on a LAN client just throws a timeout, dnsbl logs nothing.Changing the automatically created port forwarding rules to 10.10.10.1 instead of 127.0.0.1 makes it work again.
Driving me nuts!Gr,
W -
Do you use limiters? or have any other NAT/Firewall rules that might be interfering?
Also ensure that the LAN devices only have the pfSense Resolver as its only DNS server option…
If your on a multi-segmented lan, make sure the DNSBL permit rule has all the subnets listed...
Is this from all LAN devices? What browser?
Since its pinging the DNSBL VIP, and the browse to the DNSBL VIP seems to report the 1x1, then it all seems to be working as expected...
-
Thanks for the help!
No limiters, I attached the rules that are active.
The LAN device is a Windows 2012 with a static IP on the LAN segment, default gateway & DNS is pfsense.
It's a single subnet. Haven't tried setting up a secondary LAN client yet. Behaviour is the same in Chrome, IExplorer, Firefox.I followed a guide in forcing all LAN client DNS lookups to pfsense. The blocking rule is only permitting .be ip's, that about it.
As you see it's redirecting to 127.0.0.1, the lan client can do nslookups but no browsing.
I checked the proxy settings etc but can't find the cause of it.As a workaround: Is it possible to change a config file so it set 10.10.10.1 in the NAT after an update?
 -
Why do you have LAN FW rules "Redirect Blocked to 1x1Gif? It's not needed.
On WAN FW pfB_DNSBLIP, you don't Reject as this will send a response back to the attacker, you Block access then the attacker receive no respond and times out.
As for redirecting LAN devices DNS requests, did you configure DHCP server to provide DNS resolution to client, or WPAD, instead of redirecting all DNS requests ?
-
Thanks for your reply! Always great to learn!
Why do you have LAN FW rules "Redirect Blocked to 1x1Gif? It's not needed.
I believe I followed a non pfsense blog that mentioned them but there are not really needed when thinking about it.
On WAN FW pfB_DNSBLIP, you don't Reject as this will send a response back to the attacker, you Block access then the attacker receive no respond and times ou
Thanks for pointing that out ;)
As for redirecting LAN devices DNS requests, did you configure DHCP server to provide DNS resolution to client, or WPAD, instead of redirecting all DNS requests ?
I disabled the pfsense lan DHCP server. pfsense LAN side is connected to an existing LAN switch with another dhcp server so for the moment I am using a lan client that's setup statically. The idea is to use pfsense as the dhcp server but next to normal dhcp clients there are some static ones also. I presume static configured clients should also just work? I'm planning to setup dhcp & wpad squid in the next coming days.
-
If you are using Squid, you need to exclude the VIP from proxy.