DDWRT script into Pfsense



  • I am try to setup the below instructions which are for DDWRT, as rules for my pfsense. Can anyone help me out?

    1. Log in to your DD-WRT router and select Setup and then Basic Setup.

    2. Scroll down to Network Address Server Settings (DHCP) and Enable DHCP.

    3. Disable Use DNSMasq for DNS. Scroll down and Click on Apply Settings.

    4. On your DD-WRT control panel, select ADMINISTRATION from the top right section. Then Select Commands from the tabs below.

    5. Paste Followings to the Commands Shell > Commands section.

    iptables -I PREROUTING -t nat -p udp --dport 53 -j DNAT --to-destination 23.21.43.50
    iptables -I PREROUTING -t nat -p udp --dport 53 -j DNAT --to-destination 54.229.171.243
    iptables -I PREROUTING -t nat -p tcp --dport 53 -j DNAT --to-destination 23.21.43.50
    iptables -I PREROUTING -t nat -p tcp --dport 53 -j DNAT --to-destination 54.229.171.243

    iptables -I FORWARD --destination 8.8.8.8 -j REJECT
    iptables -I FORWARD --destination 8.8.4.4 -j REJECT

    iptables -I FORWARD -d 37.77.176.0/255.255.240.0 -j REJECT
    iptables -I FORWARD -d 108.175.32.0/255.255.240.0 -j REJECT
    iptables -I FORWARD -d 198.38.96.0/255.255.224.0 -j REJECT
    iptables -I FORWARD -d 198.45.48.0/255.255.240.0 -j REJECT
    iptables -I FORWARD -d 185.2.220.0/255.255.252.0 -j REJECT
    iptables -I FORWARD -d 23.246.0.0/255.255.192.0 -j REJECT
    iptables -I FORWARD -d 37.77.184.0/255.255.248.0 -j REJECT​


  • LAYER 8 Rebel Alliance

    So you want your Clients only using 23.21.43.50 and 54.229.171.243 and blocking any external DNS?
    You can follow this guide: https://www.netgate.com/docs/pfsense/dns/blocking-dns-queries-to-external-resolvers.html

    -Rico



  • Thank you for that. Getting closer bit by bit. Any idea what all this is doing? It may sound stupid,but following instructions from ddwrt forum and trying to apply to pf

    I get the blocking Google dns
    And only allowing certain DNS
    But what is this achieving. I don't recognise those axdress's

    iptables -I FORWARD -d 37.77.176.0/255.255.240.0 -j REJECT
    iptables -I FORWARD -d 108.175.32.0/255.255.240.0 -j REJECT
    iptables -I FORWARD -d 198.38.96.0/255.255.224.0 -j REJECT
    iptables -I FORWARD -d 198.45.48.0/255.255.240.0 -j REJECT
    iptables -I FORWARD -d 185.2.220.0/255.255.252.0 -j REJECT
    iptables -I FORWARD -d 23.246.0.0/255.255.192.0 -j REJECT
    iptables -I FORWARD -d 37.77.184.0/255.255.248.0 -j REJECT​


  • LAYER 8 Rebel Alliance

    You can check these network blocks via ripe.net
    If you really need them completely blocked or rejected just put them in some Alias in pfSense and setup another Firewall Rule.

    -Rico


  • LAYER 8 Rebel Alliance

    If you need DNS redirecting, e.g. because the DNS Servers are hardcoded in some application also check out https://www.netgate.com/docs/pfsense/dns/redirecting-all-dns-requests-to-pfsense.html

    -Rico