DNS Capture with an Exception



  • Greetings,
    I am fairly new to PF Sense and I am running it in a school environment.  I am using DNS resolver and a port forward intercept to force all users regardless of setting to use my DNS and we are filtering at the DNS level.  I have the following rule:

    Interface: LAN
    Protocol: TCP/UDP
    Destination: Network 192.168.1.1/24 INVERTED MATCH
    Destination Port: DNS
    Redirect Target 127.0.0.1
    Redirect Port: DNS
    Nat Reflection: Disabled

    So this works without an issue.  No matter what the user sets their DNS to I intercept it and pass it through the filter.  I have a few static addressed clients that I do not want filtered.  I want to be able to bypass the above rule and send them on to the google dns at 8.8.8.8.  No matter what I try I can get this action to work properly.  If someone could please give me a little guidance on letting statically mapped and defined local machines ie 192.168.1.250 to bypass the above rule and proceed without DNS being intercepted.  Thanks.



  • Create an Alias containing the IPs/Networks you want excluded.

    Goto the Click "Advanced" next to source. For Source Check Invert match, select Single host or Alias, type/set the Alias name.

    Save the rule.



  • Thanks, I am so use to writing an all inclusive rule and then writing exception rules above that rule to exclude things… I never though of the easy solution like that.



  • I made the changes you mentioned but I still can not get it to work.  Right now it is bypassing all clients instead of just the alias.  I can basically get it to filter all or bypass all.  Perhaps I miss-understood something.  Here is my rule as it sits now:
    Interface: LAN
    Protocol: TCP/UDP
    Source: INVERT MATCH - Alias - bypassfilter
    Source Port: DNS

    Destination: INVERT MATCH - Network - 192.168.1.1/24
    Destination Port: DNS
    Redirect Target: 127.0.0.1
    Redirect Port: DNS
    Nat Reflection: Use System Default



  • The source port has to be "any", only dest port is "DNS".



  • @viragomann:

    The source port has to be "any", only dest port is "DNS".

    This. Applications source ports are usually random ports. And are in the case of DNS.

    Sorry I didn't mention that.


Log in to reply