Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    DNS Capture with an Exception

    NAT
    3
    6
    309
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jwarmuth last edited by

      Greetings,
      I am fairly new to PF Sense and I am running it in a school environment.  I am using DNS resolver and a port forward intercept to force all users regardless of setting to use my DNS and we are filtering at the DNS level.  I have the following rule:

      Interface: LAN
      Protocol: TCP/UDP
      Destination: Network 192.168.1.1/24 INVERTED MATCH
      Destination Port: DNS
      Redirect Target 127.0.0.1
      Redirect Port: DNS
      Nat Reflection: Disabled

      So this works without an issue.  No matter what the user sets their DNS to I intercept it and pass it through the filter.  I have a few static addressed clients that I do not want filtered.  I want to be able to bypass the above rule and send them on to the google dns at 8.8.8.8.  No matter what I try I can get this action to work properly.  If someone could please give me a little guidance on letting statically mapped and defined local machines ie 192.168.1.250 to bypass the above rule and proceed without DNS being intercepted.  Thanks.

      1 Reply Last reply Reply Quote 0
      • N
        Napsterbater last edited by

        Create an Alias containing the IPs/Networks you want excluded.

        Goto the Click "Advanced" next to source. For Source Check Invert match, select Single host or Alias, type/set the Alias name.

        Save the rule.

        1 Reply Last reply Reply Quote 0
        • J
          jwarmuth last edited by

          Thanks, I am so use to writing an all inclusive rule and then writing exception rules above that rule to exclude things… I never though of the easy solution like that.

          1 Reply Last reply Reply Quote 0
          • J
            jwarmuth last edited by

            I made the changes you mentioned but I still can not get it to work.  Right now it is bypassing all clients instead of just the alias.  I can basically get it to filter all or bypass all.  Perhaps I miss-understood something.  Here is my rule as it sits now:
            Interface: LAN
            Protocol: TCP/UDP
            Source: INVERT MATCH - Alias - bypassfilter
            Source Port: DNS

            Destination: INVERT MATCH - Network - 192.168.1.1/24
            Destination Port: DNS
            Redirect Target: 127.0.0.1
            Redirect Port: DNS
            Nat Reflection: Use System Default

            1 Reply Last reply Reply Quote 0
            • V
              viragomann last edited by

              The source port has to be "any", only dest port is "DNS".

              1 Reply Last reply Reply Quote 0
              • N
                Napsterbater last edited by

                @viragomann:

                The source port has to be "any", only dest port is "DNS".

                This. Applications source ports are usually random ports. And are in the case of DNS.

                Sorry I didn't mention that.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post

                Products

                • Platform Overview
                • TNSR
                • pfSense Plus
                • Appliances

                Services

                • Training
                • Professional Services

                Support

                • Subscription Plans
                • Contact Support
                • Product Lifecycle
                • Documentation

                News

                • Media Coverage
                • Press
                • Events

                Resources

                • Blog
                • FAQ
                • Find a Partner
                • Resource Library
                • Security Information

                Company

                • About Us
                • Careers
                • Partners
                • Contact Us
                • Legal
                Our Mission

                We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                Subscribe to our Newsletter

                Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                © 2021 Rubicon Communications, LLC | Privacy Policy