Rule created after reload

wowbagger

Hi All,

pfBlockerNG is doing a great job and the problem I'm having is without a doubt some misconfiguration on my part.
Each time pfBlockerNG reloads the DNSBL feeds it auto creates:

LAN TCP * * 10.10.10.1 80 (HTTP) 127.0.0.1 8081 pfB DNSBL - DO NOT EDIT
LAN TCP * * 10.10.10.1 443 (HTTPS) 127.0.0.1 8443 pfB DNSBL - DO NOT EDIT

After the reload / auto-rule the vip 10.10.10.1 is no longer accessible and timeout hell opens up.
I found that manually changing the rules resolves my problem:

LAN TCP * * 10.10.10.1 80 (HTTP) 10.10.10.1 8081 pfB DNSBL - DO NOT EDIT
LAN TCP * * 10.10.10.1 443 (HTTPS) 10.10.10.1 8443 pfB DNSBL - DO NOT EDIT

Where should I start looking or even better: what am I doing wrong?

Thanks!
Wowbagger

RonpfS

Those are the NAT Rules created to forward HTTP/S request to pfBlockerNG DNSBL Web server

In DNSBL / DNSBL Configuration tab, did you enable DNSBL Firewall Rule?
If so look on the Firewall / Rules / Floating tab to see if the rules is created and it's placement :

IPv4 * 	* 	* 	10.10.10.1 	* 	* 	none 	  	pfB_DNSBL_Permit

Can you ping 10.10.10.1 ?
When you open http://10.10.10.1, do you get a 1x1 GIF ?

wowbagger

Thanks for your reply!

In DNSBL / DNSBL Configuration tab, did you enable DNSBL Firewall Rule?

Yes, it's checked.

If so look on the Firewall / Rules / Floating tab to see if the rules is created and it's placement :

I deleted it and the update re-created it. It sits at the bottom of the Rules / Floating table :


IPv4+6 TCP/UDP	WAN net	*	       *        3000 (HBCI)	*	none	 	Disable pftopng	    
IPv4+6 TCP/UDP	WAN net	*	WAN address	9443	        *	none	 	Disable pfsense gui 
IPv4        *       *	*	10.10.10.1	*	        *	none	 	pfB_DNSBL_Allow_access_to_VIP

Can you ping 10.10.10.1 ?
When you open http://10.10.10.1, do you get a 1x1 GIF ?

Yes. Without manually changing the rule I can ping 10.10.10.1 and get http/s on 10.10.10.1:8081/8443 from a LAN client.
Doing an nslookup for a blocked domain on a LAN client correctly returns 10.10.10.1 and netstat -an on pfsense shows it's listening on *:8081 and *:8443. Browsing to a blocked domain on a LAN client just throws a timeout, dnsbl logs nothing.

Changing the automatically created port forwarding rules to 10.10.10.1 instead of 127.0.0.1 makes it work again.
Driving me nuts!

Gr,
W

BBcan177

Do you use limiters? or have any other NAT/Firewall rules that might be interfering?

Also ensure that the LAN devices only have the pfSense Resolver as its only DNS server option…

If your on a multi-segmented lan, make sure the DNSBL permit rule has all the subnets listed...

Is this from all LAN devices? What browser?

Since its pinging the DNSBL VIP, and the browse to the DNSBL VIP seems to report the 1x1, then it all seems to be working as expected...

wowbagger

Thanks for the help!

No limiters, I attached the rules that are active.
The LAN device is a Windows 2012 with a static IP on the LAN segment, default gateway & DNS is pfsense.
It's a single subnet. Haven't tried setting up a secondary LAN client yet. Behaviour is the same in Chrome, IExplorer, Firefox.

I followed a guide in forcing all LAN client DNS lookups to pfsense. The blocking rule is only permitting .be ip's, that about it.
As you see it's redirecting to 127.0.0.1, the lan client can do nslookups but no browsing.
I checked the proxy settings etc but can't find the cause of it.

As a workaround: Is it possible to change a config file so it set 10.10.10.1 in the NAT after an update?

![Screen Shot 2017-02-05 at 8.00.42 pm.png_thumb](/public/imported_attachments/1/Screen Shot 2017-02-05 at 8.00.42 pm.png_thumb)
![Screen Shot 2017-02-05 at 8.00.23 pm.png](/public/imported_attachments/1/Screen Shot 2017-02-05 at 8.00.23 pm.png)
![Screen Shot 2017-02-05 at 8.00.13 pm.png_thumb](/public/imported_attachments/1/Screen Shot 2017-02-05 at 8.00.13 pm.png_thumb)
![Screen Shot 2017-02-05 at 8.00.13 pm.png](/public/imported_attachments/1/Screen Shot 2017-02-05 at 8.00.13 pm.png)
![Screen Shot 2017-02-05 at 8.00.42 pm.png](/public/imported_attachments/1/Screen Shot 2017-02-05 at 8.00.42 pm.png)
![Screen Shot 2017-02-05 at 8.00.23 pm.png_thumb](/public/imported_attachments/1/Screen Shot 2017-02-05 at 8.00.23 pm.png_thumb)
![Screen Shot 2017-02-05 at 8.00.04 pm.png_thumb](/public/imported_attachments/1/Screen Shot 2017-02-05 at 8.00.04 pm.png_thumb)
![Screen Shot 2017-02-05 at 8.00.04 pm.png](/public/imported_attachments/1/Screen Shot 2017-02-05 at 8.00.04 pm.png)

RonpfS

Why do you have LAN FW rules "Redirect Blocked to 1x1Gif? It's not needed.

On WAN FW pfB_DNSBLIP, you don't Reject as this will send a response back to the attacker, you Block access then the attacker receive no respond and times out.

As for redirecting LAN devices DNS requests, did you configure DHCP server to provide DNS resolution to client, or WPAD, instead of redirecting all DNS requests ?

wowbagger

Thanks for your reply! Always great to learn!

Why do you have LAN FW rules "Redirect Blocked to 1x1Gif? It's not needed.

I believe I followed a non pfsense blog that mentioned them but there are not really needed when thinking about it.

On WAN FW pfB_DNSBLIP, you don't Reject as this will send a response back to the attacker, you Block access then the attacker receive no respond and times ou

Thanks for pointing that out ;)

As for redirecting LAN devices DNS requests, did you configure DHCP server to provide DNS resolution to client, or WPAD, instead of redirecting all DNS requests ?

I disabled the pfsense lan DHCP server. pfsense LAN side is connected to an existing LAN switch with another dhcp server so for the moment I am using a lan client that's setup statically. The idea is to use pfsense as the dhcp server but next to normal dhcp clients there are some static ones also. I presume static configured clients should also just work? I'm planning to setup dhcp & wpad squid in the next coming days.

doktornotor

If you are using Squid, you need to exclude the VIP from proxy.