Network Configuration with snort VLANs…..and PfBlocker?
Are their any specific considerations I need to make when building a pfsense network utilizing PfBlocker?
I have managed to get working:
3 VLANs(work, wife's devices and iOT devices)
Dedicated pfsense GUI interface
Rule configuration(see attached rules for 1 of my VLANs)
Any body have any thoughts on trouble shooting? Where is my problem likely to be? I plan to rebuild my network…any PfBlocker considerations?
I am trying to build a secure and private network as best I can.
With VLANs, you need to ensure that all of the lan segments can:
1) ping the DNSBL VIP address
2) Browse to the DNSBL VIP and get the 1x1 pix
Without that basic connectivity, you will get timeouts when browsing.
There is a "Permit Firewall" option in the DNSBL tab that can be used to add a permit rule… You just need to ensure that this permit rule is above the other block rules. Also need to ensure that there are no other NAT/Limiters that might interfere with the DNSBL VIP port forward addresses...
Thanks Bbcan177…I followed your direction and checked the "permit firewall" rule plus added my own custom rule(see attached screenshot) based on blocks I was seeing in my firewall log. I checked my firewall log and noticed some of my existing rules were blocking the DNSBL functionality.
I think I have it working...based on the DNSBL alerts I am now seeing.
I was hoping I could get some feedback, help and thoughts on best practices for making DNSBL work while keeping my network segregated/secure.
1. Do the alerts in PfBlocker/DNSBL mean ads are being blocked(see screen shot)?
2. Keeping my interfaces segregated is critical for security...does my custom rule expose my networks? Do I even need the floating rule I added in the DNSBL tab I.e. "Permit firewall"?
3. In my custom rule I put the destination address as 127.0.0.1 (based on what was being blocked in my firewall log)....Sorry I am not a network guru but seeking to understand what the relationship is between the DNSBL ip(10.10.10.1) and 127.0.0.1?
4. Is it possible to use PfBlocker and the OpenDNS IPs. If so what should my DNS Resolver(aka unbound) settings be? What should my settings in "System->General Setup" be? I have added a screen shot with the settings I am not sure about?
5. I use my default LAN (I have a 4 port sg2440) for webgui access only(no internet access on this interface) and therefor changed the "DNSBL Listening Interface" to one of my VLANS? Is this OK?
Thanks again for any and all thoughts...
1. The alerts show that Google Ads are being blocked based on EasyList.
2, & 3. What exactly is the purpose of your custom firewall rule? Is something being blocked that needs access? As Bbcan has pointed out, there is an option in the DNSBL tab "permit firewall" that allows the LAN and or other network segments, e. g., vlans access to whatever was specified as the DNSBL VIP. This rule should be moved above other block rules. The 10.10.10.1 address is a virtual IP that DNSBL uses to send requests to that are specific by your block criterion. 127.0.0.1 is the local host you are currently logged into. Sometimes referred to as the loop back when talking about the interface.
4. Yes, you can use pfblocker in conjunction with Opendns. Of course to use DNSBL, you have to also be using the DNS Resolver. To use the OpenDNS name servers, your settings look correctly. Make sure you have also selected the forwarding mode option from the DNS Resolver tab. Also, OpenDNS does not support DNSSEC, so those options in DNS Resolver tab need to be unchecked.
5. The DNSBL listening interface can be on one of the Vlan interfaces. You do not need a firewall rule either. I have five vlans and have just selected the admin vlan in my case.
I checked the "permit firewall" on the DNSBL tab and it added a floating rule for my interfaces. To answer your question I need the custom rule just below my dns/port53 and above my "block this firewall" rule in order to get connectivity to the "10.10.10.1 - pixel" page? If not I can't navigate to the 10.10.10.1-pixel page, I get a block to 127.0.0.1 in my firewall log and I don't get DNSBL alerts.
A) I have strict rules in place...is this custom rule needed for pfblockerng based on my rule set?
B) DNSBL appears to be working(incl. some custom lists) but trying to understand why the extra rule is needed on each interface/VLAN? And if this has security implications?
C) I am getting DNSBL alerts in pfblockerng, however I am still seeing ads? Are the ads just prevented from calling home? Is DNSBL working?
Note: pretty slick but I was able to verify OpenDNS is working after enabling the forwarding mode on the dns resolver tab(thx!)
Thanks again for the help!
The only firewall rule I need to access the 10.10.10.1 pixel page, is the floating rule that is created by DNSBL. You must have some other setting in place that is requiring you to have an additional rule.
Depending on how strict you have configured DNSBL will depend on what ads you see if any. I still see an occasional ad with DNSBL enabled.
Thanks maverik1 and bbcan…
Any thoughts on how I might trouble shoot my current settings/rule set? Is adding the custom pass rule to 127.0.0.1 a best practice? It seems like I might be missing something more fundamental...
I honestly do not think you need that rule. I am not sure what kind of setup you currently have and or what your configuration is. Are you able to provide some information about your current setup? Vlan info, rules, are you running squid proxy?
My basic set up is as follows:
-The rules for one of my VLANs are posted above, the other VLANs are similar
-My default LAN is used for admin of pfsense only, no internet access
3 VLANs - guest, IOT devices and personal with the parent interface of opt1(opt1 interface is what my Unifi AP is connected to
-Default LAN = web GUI access
-Opt2 is for Apple TV
-I have a sg2440 netgate/pfsense box and a Unifi AP
-I run snort on my Interfaces
-I am running PfBlocker on my VLANs (deny both)
-Viper vpn on my network
-Unbound dns resolver utilizing OpenDNS IPs
I have my setup pretty tight with aliases for devices and ports…any suggestions would be appreciated.
Does any body have any insight to this? If not I was thinking of starting a new post in the firewalling or general section of the forum as this likely has something to do with my dns settings or dns configuration.
My specific question is why do I need the custom allow rule to the 127.0.0.1 IP (I modified an "easy rule")to get PfBlocker to work? Is this rule safe and a best practice or is there a different adjustment I need to make?
PS I have using pfblockerng with some custom lists and love it!
I can confirm pfBlocker is bugged regarding allow access rule.
Have similar environment (multi VLAN). When accessing some blocked domain (eg: http://100pour.com/ ) I get browser timeout instead of 1x1px image.
Action Time Interface Source Destination Protocol Sep 18 18:34:48 VLAN10 10.10.10.1:80 192.168.10.108:50216 TCP:SA
Firewall log when accesing HTTPS blocked domains:
Action Time Interface Source Destination Protocol Sep 18 18:39:38 VLAN10 10.10.10.1:443 192.168.10.108:49394 TCP:SA
Auto NAT rules VLAN10:
rdr on em0_vlan10 inet proto tcp from any to 10.10.10.1 port = http -> 127.0.0.1 port 8081 rdr on em0_vlan10 inet proto tcp from any to 10.10.10.1 port = https -> 127.0.0.1 port 8443
So, if manually edit Auto NAT rules option Filter rule association from None to Pass, IT WORKS! NAT rules now look like this:
rdr pass on em0_vlan10 inet proto tcp from any to 10.10.10.1 port = http -> 127.0.0.1 port 8081 rdr pass on em0_vlan10 inet proto tcp from any to 10.10.10.1 port = https -> 127.0.0.1 port 8443
But after reloading pfBlocker configuration, it reverts back to buggy NAT rule. Can you please check this behavior??
In the DNSBL tab, there is a "Permit Firewall" rule option.
Enable that and select the VLANS. Force Update.
That will create a Floating Permit rule to allow those VLANS to hit the DNSBL VIP address.
Already done that.
pfb rule is created first as expected, and it gets matching traffic
States Protocol Source Port Destination Port Gateway Queue Schedule Description Actions IPv4 * * * 10.10.10.1 * * none pfB_DNSBL_Allow_access_to_VIP
But as stated before, it does not set the Pass rule on the auto NAT port redirection rules, so it fails. Manually setting Pass in NAT rules makes it work.
I'm happy to provide any pfctl output if it helps to fix this bug.
I haven't seen anyone else complain about this issue before….
But you can edit the following file:
and change Line #793
From: 'associated-rule-id' => '',
To: 'associated-rule-id' => 'pass',
If others chime in to approve the change, I will make it official in the next release of the package…
Cheers for that, will try it.
Maybe Velcro can confirm if editing NAT port forwarding rules fix it too.
I think my situation is the same, I too saw the same firewall logs. I would be happy to test and see if “…editing NAT port forwarding rules fix it too...”. If you don’t mind walking me thru the specific steps I will try...I have never adjusted the Port Forward rules in NAT before(I assume you are referencing the “Port Forward” rules that are added for the DNSBL Listening interface in Firewall→NAT→Port Forward tab?).
BBcan177, definitely not complaining...you rock! I am in no position to complain about the work you do and the difference you make with pfBlocker.
I managed to get my VLANs capable of accessing the 10.10.10.1 pixel page by adding a rule onto my VLAN interfaces(see screen shot for example). I created this rule by adding and then modifying an “easy rule” based on what was being blocked in my firewall log.
My rules are fairly restrictive and made sure this “custom DNSBL rule” was placed below my “Allow DNS Access” and above my “Block access to firewall” rule.
- I tried the “DNSBL Firewall Rule” again and removed my 'Custom DNSBL rule” but was unable to access the 10.10.10.1 pixel page.
- I no longer use OpenDNS (Using DNS resolver on pfSense)
- Using PIA as my VPN provider(no longer VyperVPN…)
I am still not sure my “custom rule” is the best solution or as you suggest, modifying a NAT rule is best...definitely willing to test. Thanks for asking...
Navigate tru Firewall->NAT-> and edit both pfB auto rules.
Now you have to change last option: Filter rule association from None to Pass (see first attachment).
When done, u should see like a Play icon next to each rule (see 2nd attach).
I that works for you too, I can guide u on how to edit source to make it permanent as BBcan explained. Otherwise, each time u reload pfBlocker, rules will revert back to None
Awesome! Yes that allowed me to remove my "custom rule" - Thank you!!
vpreatoni if I could ask for your help to make this permanent, I would really appreciate it.
BBcan177 this corrected my issue…I vote for the change, but are there downsides to changing for all?
_Note added later:
Just restarted my pfsense and returned to default._
I thought I would jump in and try to change the code, here is what I did:
Diagnostics→ Edit File→ Browse(I didn't try but you might just be able to enter the path where it says: "Path to file to be edited")
→follow this path from BBcan: /usr/local/pkg/pfblockerng/pfblockerng.inc
and change Line #793(enter this line on the top right of the GUI where its says "Go To Line#")
From: 'associated-rule-id' => '',
To: 'associated-rule-id' => 'pass'
Make sure to hit the "Save" icon.
Survived a reboot and all is working! Thank you both for your help…
My only questions are:
I do not have the "DNSBL Firewall Rule" checked, yet everything appears to be working. My select VLANs, that I have pfBlocker running on are showing alerts. Is this just a "tweek" that is needed to get VLANs functioning?
BBcan you asked: "...If others chime in to approve the change, I will make it official in the next release of the package...". Does allowing a "Pass rule on the auto NAT port redirection rules" create any more exposure on pfSense?
Again thank you both...
Here is the PR to fix this bug… Thanks!