Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DNS Capture with an Exception

    Scheduled Pinned Locked Moved NAT
    6 Posts 3 Posters 570 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jwarmuth
      last edited by

      Greetings,
      I am fairly new to PF Sense and I am running it in a school environment.  I am using DNS resolver and a port forward intercept to force all users regardless of setting to use my DNS and we are filtering at the DNS level.  I have the following rule:

      Interface: LAN
      Protocol: TCP/UDP
      Destination: Network 192.168.1.1/24 INVERTED MATCH
      Destination Port: DNS
      Redirect Target 127.0.0.1
      Redirect Port: DNS
      Nat Reflection: Disabled

      So this works without an issue.  No matter what the user sets their DNS to I intercept it and pass it through the filter.  I have a few static addressed clients that I do not want filtered.  I want to be able to bypass the above rule and send them on to the google dns at 8.8.8.8.  No matter what I try I can get this action to work properly.  If someone could please give me a little guidance on letting statically mapped and defined local machines ie 192.168.1.250 to bypass the above rule and proceed without DNS being intercepted.  Thanks.

      1 Reply Last reply Reply Quote 0
      • N
        Napsterbater
        last edited by

        Create an Alias containing the IPs/Networks you want excluded.

        Goto the Click "Advanced" next to source. For Source Check Invert match, select Single host or Alias, type/set the Alias name.

        Save the rule.

        1 Reply Last reply Reply Quote 0
        • J
          jwarmuth
          last edited by

          Thanks, I am so use to writing an all inclusive rule and then writing exception rules above that rule to exclude things… I never though of the easy solution like that.

          1 Reply Last reply Reply Quote 0
          • J
            jwarmuth
            last edited by

            I made the changes you mentioned but I still can not get it to work.  Right now it is bypassing all clients instead of just the alias.  I can basically get it to filter all or bypass all.  Perhaps I miss-understood something.  Here is my rule as it sits now:
            Interface: LAN
            Protocol: TCP/UDP
            Source: INVERT MATCH - Alias - bypassfilter
            Source Port: DNS

            Destination: INVERT MATCH - Network - 192.168.1.1/24
            Destination Port: DNS
            Redirect Target: 127.0.0.1
            Redirect Port: DNS
            Nat Reflection: Use System Default

            1 Reply Last reply Reply Quote 0
            • V
              viragomann
              last edited by

              The source port has to be "any", only dest port is "DNS".

              1 Reply Last reply Reply Quote 0
              • N
                Napsterbater
                last edited by

                @viragomann:

                The source port has to be "any", only dest port is "DNS".

                This. Applications source ports are usually random ports. And are in the case of DNS.

                Sorry I didn't mention that.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.