Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Advice - Allowing client to bypass pfblocker-ng

    pfBlockerNG
    8
    12
    5988
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      wesfox last edited by

      Hi there,
      so I've installed pfblocker-ng and setup my dns rules (see attached) on the firewall and added my lists for DNSBL and all is working perfectly. I lookup a known bad site and it resolves to 10.10.10.1 .. excellent

      However I want to allow my desktop smartphone to bypass pfblocker and I'm having issues getting it to work. I followed Lawrence on youtube and he advise to put a rule at the top of the list to allow an IP to DNS before the block (also in attached pic) but no joy .. I still get sent to 10.10.10.1 on a lookup.

      any help appreciated
      0_1538481945833_rules.PNG

      1 Reply Last reply Reply Quote 0
      • RonpfS
        RonpfS last edited by

        There is one post here

        https://forum.netgate.com/topic/129365/bypassing-dnsbl-for-specific-ips

        2.4.5-RELEASE-p1 (amd64)
        Intel Core2 Quad CPU Q8400 @ 2.66GHz 8GB
        Backup 0.5_5, Bandwidthd 0.7.4_4, Cron 0.3.7_5, pfBlockerNG-devel 3.0.0_16, Status_Traffic_Totals 2.3.1_1, System_Patches 1.2_5

        W 1 Reply Last reply Reply Quote 1
        • W
          wesfox @RonpfS last edited by

          @ronpfs said in Advice - Allowing client to bypass pfblocker-ng:

          There is one post here

          https://forum.netgate.com/topic/129365/bypassing-dnsbl-for-specific-ips

          That worked :) Thank you very much.

          For newbies like myself.. a little hint .. the custom option is at the end under DNS resolver.

          1 Reply Last reply Reply Quote 0
          • P
            papayo29 last edited by

            Lawrence rule serves to allow host 192.168.10.3 to change its own DNS server setting and use an external one, bypassing internal DNS resolver and then the DNSBL filter. Requests to access an external DNS server from all other hosts are denied by the last firewall rule above.

            However, if host 192.168.10.3 keeps using the internal DNS, its calls to DNS are subjected to the DNSBL filter as all the the other host calls. In this case the solution to bypass this filter is the one proposed above.

            1 Reply Last reply Reply Quote 0
            • johnpoz
              johnpoz LAYER 8 Global Moderator last edited by johnpoz

              The allow rule to pfsense is wrong... It allows access to ANY thing on the lan net on port 53 UDP.. So any client on the lan net could access any dns they want that resides on lan net. That rule should be set to pfsense Lan IP as the destination.

              It should also be both udp and tcp

              Same for the other rules - dns can be both udp and dns... While allowing only udp will prob work for most stuff, if the client needs to switch over to use tcp for a reason, then the dns queries would fail.

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.01

              manjotsc 1 Reply Last reply Reply Quote 1
              • JeGr
                JeGr LAYER 8 Moderator last edited by

                I'd change the allow rules to "LAN net" (or in case of the .10.3 an alias) and the block rule to source any? So you block out unwanted clients, that may have been connected to the network and setup with an alternative IP range?
                And wouldn't "This Firewall" be good instead of "LAN address" in case you upgrade that to a CARP setup?

                Just a thought

                Don't forget to upvote 👍 those who kindly offered their time and brainpower to help you!

                If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

                1 Reply Last reply Reply Quote 0
                • manjotsc
                  manjotsc @johnpoz last edited by

                  @johnpoz Is possible if you can show an exemple, thanks

                  Annotation 2020-01-09 132240.png

                  Intel(R) Core(TM) i5-2400 CPU @ 3.10GHz
                  Current: 3100 MHz, Max: 3101 MHz
                  4 CPUs: 1 package(s) x 4 core(s)
                  AES-NI CPU Crypto: Yes (active)
                  QAT Crypto: No

                  NollipfSense 1 Reply Last reply Reply Quote 0
                  • NollipfSense
                    NollipfSense @manjotsc last edited by

                    @manjotsc Here
                    Screen Shot 2020-01-11 at 9.33.27 AM.png

                    pfSense+ 22.01 Lenovo Thinkcentre M93P SFF Quadcore i7 Raid-ZFS 128GB-SSD 32GB-RAM PCI-dual Intel i350 NIC.

                    manjotsc 1 Reply Last reply Reply Quote 0
                    • manjotsc
                      manjotsc @NollipfSense last edited by manjotsc

                      @NollipfSense But there is no usage in states collum of DNS Expection Devices, it's 0/0B it's normal? And also one thing, My LAN Devices are able to use any DNS Server. Regardless of rules.

                      Annotation 2020-01-12 000956.png

                      Intel(R) Core(TM) i5-2400 CPU @ 3.10GHz
                      Current: 3100 MHz, Max: 3101 MHz
                      4 CPUs: 1 package(s) x 4 core(s)
                      AES-NI CPU Crypto: Yes (active)
                      QAT Crypto: No

                      1 Reply Last reply Reply Quote 0
                      • johnpoz
                        johnpoz LAYER 8 Global Moderator last edited by

                        @manjotsc said in Advice - Allowing client to bypass pfblocker-ng:

                        My LAN Devices are able to use any DNS Server. Regardless of rules.

                        You understand that in no scenario does lan device talk to pfsense to talk to another device on lan... Unless your using pfsense as a bridge and the device they want to talk to is on the other side of that bridge.

                        I take it those rules are on your lan interface.. If so that rule to lan net destination is pointless.. Other than that would talk to pfsense IP in lan net... But it normally would be written with lan address if that is what you want to allow.

                        Clearly your rules are blocking hits to other dns, see the 328 B of traffic.

                        And your playstation - your letting it do more than dns with that rule.

                        And just not a clue to when you think there would be a dest of 127.0.0.1? Are you doing a port forward somewhere trying to redirect stop it with a rule? To 8443?

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.01

                        1 Reply Last reply Reply Quote 2
                        • manjotsc
                          manjotsc last edited by

                          Thanks for recommendations, and about 127.0.01 rule, i dont know why did it.

                          Does it looks good now?

                          Annotation 2020-01-12 134025.png

                          Intel(R) Core(TM) i5-2400 CPU @ 3.10GHz
                          Current: 3100 MHz, Max: 3101 MHz
                          4 CPUs: 1 package(s) x 4 core(s)
                          AES-NI CPU Crypto: Yes (active)
                          QAT Crypto: No

                          1 Reply Last reply Reply Quote 0
                          • T
                            tele_01 last edited by

                            Hello All.

                            I would like to ask about the following. I have some IPs bundled in an ALIAS and these IPs should bypass pfBlockerNG. When I unselect these IPs by their dedicated VPN-Interface in "Select Outbound Firewall Interface", these IPs are still get filtered by pfBlocker. Is this the reason for for this because of checking the option for floating rules (Open VPN) in DNSBL firewall rules?

                            Nevertheless, I found wesfox's link for bypassing single IPs. Would this be the right way to bypass pfBlockerNG for some LAN IPs?

                            Thx for your support in advance.

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post