Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DNSBL only working on DMZ NIC?

    Scheduled Pinned Locked Moved pfBlockerNG
    13 Posts 3 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • TAC57T
      TAC57
      last edited by

      I have pfBlockerNG-devel running on my pfsense 2.4.4-p3 box and everything is working great on my DMZ interface but nothing is getting blocked on my LAN interface. The reports shows all kinds of activity on DMZ and nothing on LAN. I'm thinking I just overlooked some setting. :-/

      If I 'ping analytics.yahoo.com' from my DMZ network the response comes from the DNSBL webserver virtual IP address (10.10.10.1), if I ping from the LAN it doesn't.

      I did disable Squid from the Squid proxy server general settings. Is pfBlockerNG and Squid incompatible?

      provelsP GertjanG 2 Replies Last reply Reply Quote 0
      • provelsP
        provels @TAC57
        last edited by

        @TAC57 Did you select the LAN interface in Firewall/pfBlockerNG/IP/IP Interface_Rules Configuration/Outbound Firewall Rules? Ctrl-Click to select LAN and DMZ. Don't know about squid compatability, sorry.

        Peder

        MAIN - pfSense+ 24.11-RELEASE - Adlink MXE-5401, i7, 16 GB RAM, 64 GB SSD. 500 GB HDD for SyslogNG
        BACKUP - pfSense+ 23.01-RELEASE - Hyper-V Virtual Machine, Gen 1, 2 v-CPUs, 3 GB RAM, 8GB VHDX (Dynamic)

        TAC57T 1 Reply Last reply Reply Quote 0
        • TAC57T
          TAC57 @provels
          last edited by

          @provels Yes, Outbound Firewall Rules has both WAN and DMZ selected and set for Reject. Inbound is set for only WAN, Block.

          Floating Rules is not enabled.

          provelsP 1 Reply Last reply Reply Quote 0
          • provelsP
            provels @TAC57
            last edited by provels

            @TAC57 Same as me. I don't have a DMZ, but have rules enabled on LAN and OpenVPN out and get the 10.10.10.1 address on ping with both. Sorry.

            Peder

            MAIN - pfSense+ 24.11-RELEASE - Adlink MXE-5401, i7, 16 GB RAM, 64 GB SSD. 500 GB HDD for SyslogNG
            BACKUP - pfSense+ 23.01-RELEASE - Hyper-V Virtual Machine, Gen 1, 2 v-CPUs, 3 GB RAM, 8GB VHDX (Dynamic)

            1 Reply Last reply Reply Quote 0
            • TAC57T
              TAC57
              last edited by TAC57

              @provels From Services / DHCP Server / LAN I deleted the two DNS servers entries I had (8.8.8.8, 8.8.4.4) to match what was already set under the DMZ interface and now I'm seeing DNSBL alerts on both DMZ and LAN interfaces. But only over WiFi.

              Pinging 302br.net from my CAT5 connected desktop does not receive the reply from 10.10.10.1.

              GertjanG 1 Reply Last reply Reply Quote 0
              • GertjanG
                Gertjan @TAC57
                last edited by Gertjan

                @TAC57 said in DNSBL only working on DMZ NIC?:

                Pinging 302br.net from my CAT5 connected desktop does not receive the reply from 10.10.10.1.

                That's one thing.
                Did it resolve ?

                Btw : it does resolve to 199.166.0.24 so DNS is working.
                199.166.0.24 replies to ping ....

                [2.4.4-RELEASE][admin@pfsense.brit-hotel-fumel.net]/root: ping  302br.net
                PING 302br.net (199.166.0.24): 56 data bytes
                64 bytes from 199.166.0.24: icmp_seq=0 ttl=47 time=41.751 ms
                64 bytes from 199.166.0.24: icmp_seq=1 ttl=47 time=41.341 ms
                64 bytes from 199.166.0.24: icmp_seq=2 ttl=47 time=41.151 ms
                64 bytes from 199.166.0.24: icmp_seq=3 ttl=47 time=41.069 ms
                64 bytes from 199.166.0.24: icmp_seq=4 ttl=47 time=40.866 ms
                64 bytes from 199.166.0.24: icmp_seq=5 ttl=47 time=41.162 ms
                ....
                

                No "help me" PM's please. Use the forum, the community will thank you.
                Edit : and where are the logs ??

                TAC57T 1 Reply Last reply Reply Quote 0
                • TAC57T
                  TAC57 @Gertjan
                  last edited by

                  @Gertjan I was under the impression 'ping 302br.net' should respond with 10.10.10.1, it does when I ping it from my WiFi connection. I do get 199.166.0.24 if I ping from a direct connect to my LAN.

                  1 Reply Last reply Reply Quote 0
                  • GertjanG
                    Gertjan @TAC57
                    last edited by

                    @TAC57 said in DNSBL only working on DMZ NIC?:

                    everything is working great on my DMZ interface but nothing is getting blocked on my LAN interface.

                    and then you the explain why :

                    @TAC57 said in DNSBL only working on DMZ NIC?:

                    Outbound Firewall Rules has both WAN and DMZ selected and set for Reject. Inbound is set for only WAN, Block.
                    Floating Rules is not enabled.

                    No DNSBL firewall rules on LAN == nothing will get blocked on LAN.

                    @TAC57 said in DNSBL only working on DMZ NIC?:

                    I do get 199.166.0.24 if I ping from a direct connect to my LAN.

                    Because traffic isn't parsed by DNSBL rules on your LAN .
                    Because you decided not to place DNSBL rules on LAN.

                    Problem solved ? ^^

                    No "help me" PM's please. Use the forum, the community will thank you.
                    Edit : and where are the logs ??

                    1 Reply Last reply Reply Quote 0
                    • TAC57T
                      TAC57
                      last edited by

                      @Gertjan Sorry, in my previous post I had a typo. These are my settings Firewall / pfBlockerNG / IP:

                      405d70f7-f41c-45dd-8e6f-e989b891afb6-image.png

                      1 Reply Last reply Reply Quote 0
                      • GertjanG
                        Gertjan
                        last edited by Gertjan

                        Aha, ok.

                        And what are your DMZ firewall rules and LAN firewall rules ?

                        @TAC57 said in DNSBL only working on DMZ NIC?:

                        Floating Rules is not enabled.

                        Are you sure :

                        49474855-997f-477d-9e8f-06551b5ca974-image.png

                        (another typo ? ;) )

                        edit : so list also your floating rules.

                        No "help me" PM's please. Use the forum, the community will thank you.
                        Edit : and where are the logs ??

                        TAC57T 1 Reply Last reply Reply Quote 0
                        • TAC57T
                          TAC57 @Gertjan
                          last edited by

                          @Gertjan Yes, Floating Rules are enabled. I have been messing with settings during this conversation. :-)

                          Below are my floating rules. I didn't included the others since they only have rules associated with my server. BTW I really appreciate your feedback.

                          314fb591-653b-4164-9189-7c058f329a72-image.png

                          1 Reply Last reply Reply Quote 0
                          • provelsP
                            provels
                            last edited by

                            Just throwing this out there, but are you sure the LAN client isn't hard set to use a DNS source other than pfSense?
                            Is DNS in the DHCP server set? You can eliminate it and DHCP will just use pfSense.
                            You could also force all outbound DNS to use pfSense as DNS even if hard set to another DNS with an outbound rule like this:
                            https://docs.netgate.com/pfsense/en/latest/dns/redirecting-all-dns-requests-to-pfsense.html

                            Peder

                            MAIN - pfSense+ 24.11-RELEASE - Adlink MXE-5401, i7, 16 GB RAM, 64 GB SSD. 500 GB HDD for SyslogNG
                            BACKUP - pfSense+ 23.01-RELEASE - Hyper-V Virtual Machine, Gen 1, 2 v-CPUs, 3 GB RAM, 8GB VHDX (Dynamic)

                            1 Reply Last reply Reply Quote 0
                            • TAC57T
                              TAC57
                              last edited by

                              7b5b7947-5c91-4b34-84ef-037a670f0787-image.png

                              6239db17-333b-41bb-8f23-edab33a27662-image.png

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.