Strict Whitelisting on a satellite connection and only 1GB traffic/month



  • Hi
    I am using a pfsense firewall on a vessel.
    Pfsense is attached to a sat-router which basically allows everything for the pfsense.

    The pfsense rules restrict the internet to only a few websites and services, such as teamviewer, email etc.

    The Win10 clients have simplewall installed and I was shutting them up with that O&O tool. At least I thought I would have done.
    The monthly included traffic volume in our provider's plan includes only 1GB/month.
    So Windows update is of course blocked on the clients and on the pfsense.
    However DNS is required for Teamviewer and other services.
    I found out that the vessel used up more than 100MB on one day.

    I think the vessel is set up to use DNS forwarder.
    Traffic:
    microsoft.com 44MB
    10.155.124.179 Googlecloud 37MB
    DNS 27MB
    DNS.Windowsupdate 24MB
    DNS.microsoft 24MB
    PFSENSE.org 8MB
    ICMP 7MB
    Unknown 7MB
    Etc… with low consumption

    If I block for example on top of the rules list “10.155.124.179 Googlecloud”, will DNS still work if one of googles dns servers is used?

    How can I efficiently reduce the traffic? Is somehow caching possible, so the same DNS queries are repeatedly sent over the internet?
    I did not find much about that problem, probably because most admins do not care about a GB of traffic.
    Would be thankful for any hint.



  • 10.0.0.0/8 is private and not usable on the Internet.
    Perhaps your sat isp is doing some nat tricks, but you need to find out what 10.155.124.179 really is.
    For pfsense, I suspect its the version check
    You can disable this in system update settings.
    As for dns, in services, dns resolver
    https://docs.netgate.com/pfsense/en/latest/book/services/dns-resolver-advanced.html
    look at Minimum TTL for RRsets and Messages
    This does exactly what you requested.
    But it could be other things too that cause traffic.
    You need to do some network sniffing for such strict control



  • Thanks for quick answer.
    I changed from forwarder to resolver again. (Was having trouble with resolver back then when I set up the system: DNS not working)

    I set minimum to 1 day
    maximum to 5 days and changed the storage from 4MB to 250MB
    Not sure if that makes sense.
    Since we have only few websites I would even put in all important translations manually if necessary.



  • I found out that simplewall was deactivated, too...



  • One day after changing to DNS Resolver, DNS is not working anymore, including hostnames of the pfsense or the Sat-Router hostnames.

    Any suggestions where I can check ? Right now I can only send config files via mail or guide the captain via satphone ;(



  • You should realy check if resolver is actually able to resolve :)
    There are two ways for a resolver to work
    One is by quering the dns system root servers, and following the tree with recursion and the
    second would be to use forwarding, meaning all requests go to a designated dns which handles everything
    In a highly managed scenario such as sat access, the latter should be the only option
    Please check

    DNS Query Forwarding
    Enable Forwarding Mode If this option is set, DNS queries will be forwarded to the upstream DNS servers defined under System > General Setup or those obtained via DHCP/PPP on WAN (if DNS Server Override is enabled there).

    in dns resolver settings

    And you really need a test environment for this.
    Its very easy to lock yourself out while "optimising" things.
    And in the middle of the ocean there aren't many alternatives too.


Log in to reply