• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Rule created after reload

Scheduled Pinned Locked Moved pfBlockerNG
8 Posts 4 Posters 2.6k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • W
    wowbagger
    last edited by Feb 5, 2017, 3:09 AM

    Hi All,

    pfBlockerNG is doing a great job and the problem I'm having is without a doubt some misconfiguration on my part.
    Each time pfBlockerNG reloads the DNSBL feeds it auto creates:

    LAN TCP * * 10.10.10.1 80 (HTTP) 127.0.0.1 8081 pfB DNSBL - DO NOT EDIT  
    LAN TCP * * 10.10.10.1 443 (HTTPS) 127.0.0.1 8443 pfB DNSBL - DO NOT EDIT

    After the reload / auto-rule the vip 10.10.10.1 is no longer accessible and timeout hell opens up.
    I found that manually changing the rules resolves my problem:

    LAN TCP * * 10.10.10.1 80 (HTTP) 10.10.10.1 8081 pfB DNSBL - DO NOT EDIT
    LAN TCP * * 10.10.10.1 443 (HTTPS) 10.10.10.1 8443 pfB DNSBL - DO NOT EDIT

    Where should I start looking or even better: what am I doing wrong?

    Thanks!
    Wowbagger

    1 Reply Last reply Reply Quote 0
    • R
      RonpfS
      last edited by Feb 5, 2017, 3:35 AM Feb 5, 2017, 3:24 AM

      Those are the NAT Rules created to forward HTTP/S request to pfBlockerNG DNSBL Web server

      In DNSBL / DNSBL Configuration tab, did you enable DNSBL Firewall Rule?
      If so look on the Firewall / Rules / Floating tab to see if the rules is created and it's placement :

      IPv4 * 	* 	* 	10.10.10.1 	* 	* 	none 	  	pfB_DNSBL_Permit 	
      

      Can you ping 10.10.10.1 ?
      When you open http://10.10.10.1, do you get a 1x1 GIF ?

      2.4.5-RELEASE-p1 (amd64)
      Intel Core2 Quad CPU Q8400 @ 2.66GHz 8GB
      Backup 0.5_5, Bandwidthd 0.7.4_4, Cron 0.3.7_5, pfBlockerNG-devel 3.0.0_16, Status_Traffic_Totals 2.3.1_1, System_Patches 1.2_5

      1 Reply Last reply Reply Quote 0
      • W
        wowbagger
        last edited by Feb 5, 2017, 12:46 PM

        Thanks for your reply!

        In DNSBL / DNSBL Configuration tab, did you enable DNSBL Firewall Rule?

        Yes, it's checked.

        If so look on the Firewall / Rules / Floating tab to see if the rules is created and it's placement :

        I deleted it and the update re-created it. It sits at the bottom of the Rules / Floating table :

        
        IPv4+6 TCP/UDP	WAN net	*	       *        3000 (HBCI)	*	none	 	Disable pftopng	    
        IPv4+6 TCP/UDP	WAN net	*	WAN address	9443	        *	none	 	Disable pfsense gui 
        IPv4        *       *	*	10.10.10.1	*	        *	none	 	pfB_DNSBL_Allow_access_to_VIP	    
        
        

        Can you ping 10.10.10.1 ?
        When you open http://10.10.10.1, do you get a 1x1 GIF ?

        Yes. Without manually changing the rule I can ping 10.10.10.1 and get http/s on 10.10.10.1:8081/8443 from a LAN client.
        Doing an nslookup for a blocked domain on a LAN client correctly returns 10.10.10.1 and netstat -an on pfsense shows it's listening on *:8081 and *:8443. Browsing to a blocked domain on a LAN client just throws a timeout, dnsbl logs nothing.

        Changing the automatically created port forwarding rules to 10.10.10.1 instead of 127.0.0.1 makes it work again.
        Driving me nuts!

        Gr,
        W

        1 Reply Last reply Reply Quote 0
        • B
          BBcan177 Moderator
          last edited by Feb 5, 2017, 6:23 PM

          Do you use limiters? or have any other NAT/Firewall rules that might be interfering?

          Also ensure that the LAN devices only have the pfSense Resolver as its only DNS server option…

          If your on a multi-segmented lan, make sure the DNSBL permit rule has all the subnets listed...

          Is this from all LAN devices? What browser?

          Since its pinging the DNSBL VIP, and the browse to the DNSBL VIP seems to report the 1x1, then it all seems to be working as expected...

          "Experience is something you don't get until just after you need it."

          Website: http://pfBlockerNG.com
          Twitter: @BBcan177  #pfBlockerNG
          Reddit: https://www.reddit.com/r/pfBlockerNG/new/

          1 Reply Last reply Reply Quote 0
          • W
            wowbagger
            last edited by Feb 5, 2017, 7:07 PM

            Thanks for the help!

            No limiters, I attached the rules that are active.
            The LAN device is a Windows 2012 with a static IP on the LAN segment, default gateway & DNS is pfsense.
            It's a single subnet. Haven't tried setting up a secondary LAN client yet. Behaviour is the same in Chrome, IExplorer, Firefox.

            I followed a guide in forcing all LAN client DNS lookups to pfsense. The blocking rule is only permitting .be ip's, that about it.
            As you see it's redirecting to 127.0.0.1, the lan client can do nslookups but no browsing.
            I checked the proxy settings etc but can't find the cause of it.

            As a workaround: Is it possible to change a config file so it set 10.10.10.1 in the NAT after an update?

            ![Screen Shot 2017-02-05 at 8.00.42 pm.png_thumb](/public/imported_attachments/1/Screen Shot 2017-02-05 at 8.00.42 pm.png_thumb)
            ![Screen Shot 2017-02-05 at 8.00.23 pm.png](/public/imported_attachments/1/Screen Shot 2017-02-05 at 8.00.23 pm.png)
            ![Screen Shot 2017-02-05 at 8.00.13 pm.png_thumb](/public/imported_attachments/1/Screen Shot 2017-02-05 at 8.00.13 pm.png_thumb)
            ![Screen Shot 2017-02-05 at 8.00.13 pm.png](/public/imported_attachments/1/Screen Shot 2017-02-05 at 8.00.13 pm.png)
            ![Screen Shot 2017-02-05 at 8.00.42 pm.png](/public/imported_attachments/1/Screen Shot 2017-02-05 at 8.00.42 pm.png)
            ![Screen Shot 2017-02-05 at 8.00.23 pm.png_thumb](/public/imported_attachments/1/Screen Shot 2017-02-05 at 8.00.23 pm.png_thumb)
            ![Screen Shot 2017-02-05 at 8.00.04 pm.png_thumb](/public/imported_attachments/1/Screen Shot 2017-02-05 at 8.00.04 pm.png_thumb)
            ![Screen Shot 2017-02-05 at 8.00.04 pm.png](/public/imported_attachments/1/Screen Shot 2017-02-05 at 8.00.04 pm.png)

            1 Reply Last reply Reply Quote 0
            • R
              RonpfS
              last edited by Feb 6, 2017, 4:08 AM Feb 5, 2017, 8:16 PM

              Why do you have LAN FW rules "Redirect Blocked to 1x1Gif? It's not needed.

              On WAN FW pfB_DNSBLIP, you don't Reject as this will send a response back to the attacker, you Block access then the attacker receive no respond and times out.

              As for redirecting LAN devices DNS requests, did you configure DHCP server to provide DNS resolution to client, or WPAD, instead of redirecting all DNS requests ?

              2.4.5-RELEASE-p1 (amd64)
              Intel Core2 Quad CPU Q8400 @ 2.66GHz 8GB
              Backup 0.5_5, Bandwidthd 0.7.4_4, Cron 0.3.7_5, pfBlockerNG-devel 3.0.0_16, Status_Traffic_Totals 2.3.1_1, System_Patches 1.2_5

              1 Reply Last reply Reply Quote 0
              • W
                wowbagger
                last edited by Feb 6, 2017, 8:58 AM

                Thanks for your reply! Always great to learn!

                Why do you have LAN FW rules "Redirect Blocked to 1x1Gif? It's not needed.

                I believe I followed a non pfsense blog that mentioned them but there are not really needed when thinking about it.

                On WAN FW pfB_DNSBLIP, you don't Reject as this will send a response back to the attacker, you Block access then the attacker receive no respond and times ou

                Thanks for pointing that out ;)

                As for redirecting LAN devices DNS requests, did you configure DHCP server to provide DNS resolution to client, or WPAD, instead of redirecting all DNS requests ?

                I disabled the pfsense lan DHCP server. pfsense LAN side is connected to an existing LAN switch with another dhcp server so for the moment I am using a lan client that's setup statically. The idea is to use pfsense as the dhcp server but next to normal dhcp clients there are some static ones also. I presume static configured clients should also just work? I'm planning to setup dhcp & wpad squid in the next coming days.

                1 Reply Last reply Reply Quote 0
                • D
                  doktornotor Banned
                  last edited by Feb 6, 2017, 9:37 AM

                  If you are using Squid, you need to exclude the VIP from proxy.

                  1 Reply Last reply Reply Quote 0
                  1 out of 8
                  • First post
                    1/8
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                    This community forum collects and processes your personal information.
                    consent.not_received