lan rule block not working have tested today



  • Hello Team

    Please suggest (pfsense version 2.4.4_1)
    have attached snap for same.fw-lan.png


  • LAYER 8 Netgate

    You have not asked a question or given a specific description of what is not working.



  • Have already mentioned that lan rule setup is not working in subject title.

    Please suggest.

    thank you.



  • Hello team

    anyone have idea that have block few website but it still accessible in local network. have attached snap in previous post..

    please suggest......


  • LAYER 8 Global Moderator

    So you want to block youtube with alias? What is in your alias? You understand that youtube is hosted off 1000's of IPs right.. its a off a CDN.. not just some single IP.. They will be changing constantly..

    What is above those rules?

    Did the client already go there - there would be a state, etc..

    To be honest if your wanting to block domains like msn and youtube - all CDN hosted, your going to have better luck blocking with a proxy vs firewall. Which would be url based, and not ip based.

    Aliases are only looked up every 5 minutes... And with the way a CDN can return different IP, alias gets loaded with IP say 1.2.3.4 for site A, but then when client asks for it maybe it gets returned 4.5.6.7 which is not blocked. The can for sure be more problematic when the client uses a different dns other than pfsense as well.



  • @johnpoz

    can you please guide me how can i block with firewall in local network.

    please,,,,


  • LAYER 8 Global Moderator

    As I just stated your going to have a very hard time trying to do it that way.. Use proxy!

    But if trying to do it with firewall rules.. You need to make sure your client is using pfsense for dns.. And also that client is not using proxy outside of pfsense that would access those sites, since the proxy IP would not be blocked, etc. etc.

    And since those ttls are for such sites are going to be very low as well - you prob want to up the min ttl RR in unbound to be higher, so that unbound doesn't go keep asking for IP and maybe get a different one then when filterdns asked for it and populated the alias table.

    Also for youtube for example you could hit almost any .tld with youtube and get a different IP.. Don't forget the short fqdn like youtu.be did you put those in your alias?

    Also just went over this in another thread... When you start blocking large swaths of IPs that are hosted of CDNs - you now might be blocking other sites hosted there that you want to allow..

    If you don't want to use a proxy, you prob have better luck blocking it via dns.. Ie don't allow those domains to even be looked up.. You could do that with say pfblocker, or just simple host overrides in unbound, etc.

    Keep in mind that site like youtube is more than just youtube.com



  • @johnpoz

    Ok thank you.

    do you have any snap for configure proxy...


  • LAYER 8 Global Moderator

    Like a picture ;) Dude I think your in for a bumpy ride - suggest you start in the cache/proxy section.. But its going to be a bit more a learning curve than a few clicks of a button..

    You prob be better off going the blocking with dns route to be honest..



  • @johnpoz

    is there way to get off bumpy ride?


  • LAYER 8 Global Moderator

    Yeah do some research on how proxy works in general, then do some research how squid is setup in pfsense. Then implement that how you want to.. Its not something that you get from a "snap" ;)

    You prob have a less bumpy right just forcing all your clients to use pfsense as dns - and then making sure that pfsense does not resolve domain.tld.. This can be done via host overrides, domain overrides sent to nowhere. Or a package like pfblocker that allows you to blacklist stuff.

    Proxy would allow you more control where you could allow say url domain.tld/work - but block say domain.tld/game... But this gets more complicated with https, as you can only use domain.tld and not any paths in the url for filtering. And the proxy would for sure have to be explicit and not transparent, etc. etc.

    To be honest trying to filter content is always going to be a wack-a-mole game that users find ways around.. It normally works fine when your just blocking them from stuff they don't really want to get to... Say bad malware sites and the such, or ad domains, etc. But when you try and block them getting to where they actually want to go - they will find ways around your blocks.. Can pretty much promise you that ;)


Log in to reply