Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DNS Forwarder Host Overrides and Domain Overrides

    Scheduled Pinned Locked Moved General pfSense Questions
    26 Posts 2 Posters 2.3k Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G Offline
      gus17
      last edited by

      I am new to pfSense and am trying to gather info on the firewall that was setup by a previous IT contractor years ago. Facebook was blocked on our business network years ago and trying to gain access again. The only thing I can find on the firewall was under the host and domain overrides. They are setup for www.facebook.com with an IP address. Can I simply remove the override to regain access to facebook on the network?

      1 Reply Last reply Reply Quote 0
      • johnpozJ Offline
        johnpoz LAYER 8 Global Moderator
        last edited by

        If that is what is blocking it sure... There would be little reason to put in a host override for facebook other than blocking it.

        What does the IP point to?

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • G Offline
          gus17
          last edited by

          The IP does not show on the leases page. We had a static IP address up until about a year ago. It may be pointed to that???

          1 Reply Last reply Reply Quote 0
          • johnpozJ Offline
            johnpoz LAYER 8 Global Moderator
            last edited by johnpoz

            @gus17 said in DNS Forwarder Host Overrides and Domain Overrides:

            It may be pointed to that???

            if its an override it would have an IP listed.. It has to that is what an override.. On your host override page, what do you see? That you feel an override was put into place?

            Just delete it.. You can can always put it back... If if you can not get to facebook, and you have some override pointing to 1.2.3.4 then yeah that is prob problem..

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • G Offline
              gus17
              last edited by

              I'll give that a try. Thanks for the help.

              1 Reply Last reply Reply Quote 0
              • G Offline
                gus17
                last edited by

                The IP address in the host override shows up under NAT port forwarding and rules and uses port 902 and 22???

                1 Reply Last reply Reply Quote 0
                • johnpozJ Offline
                  johnpoz LAYER 8 Global Moderator
                  last edited by johnpoz

                  So this IP is public or private? rfc1918 10.x.x.x, 192.168.x.x, 172.16-31.x.x?

                  Is it the dest IP in this port forwarding or or where the port forward is being sent too?

                  Its possible they setup www.facebook.com to point to some internal server to serve up a hey you can't go there sort of page.

                  Pointing it to your public wan IP would just be stupid! ;)

                  902 is port used by vmware, port 22 is ssh..

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  1 Reply Last reply Reply Quote 0
                  • G Offline
                    gus17
                    last edited by

                    IP is private 192.168.x.x and shows as NAT IP in port forwarding and is the destination port under the rules heading. We were getting a "can't go there page".

                    1 Reply Last reply Reply Quote 0
                    • johnpozJ Offline
                      johnpoz LAYER 8 Global Moderator
                      last edited by

                      @gus17 said in DNS Forwarder Host Overrides and Domain Overrides:

                      We were getting a "can't go there page".

                      Well yeah - they are hosting that page on that IP www.facebook.com resolves too..

                      Delete the override if you want to get to facebook.. You can not get to facebook if it resolves to some rfc1918 address.

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                      1 Reply Last reply Reply Quote 0
                      • G Offline
                        gus17
                        last edited by

                        I appreciate the help.
                        This is not my area of expertise, just trying to keep a small business moving forward.

                        1 Reply Last reply Reply Quote 0
                        • johnpozJ Offline
                          johnpoz LAYER 8 Global Moderator
                          last edited by

                          @gus17 said in DNS Forwarder Host Overrides and Domain Overrides:

                          This is not my area of expertise

                          No offense ;) but that was clearly obvious - heheeheh

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 24.11 | Lab VMs 2.8, 24.11

                          1 Reply Last reply Reply Quote 0
                          • G Offline
                            gus17
                            last edited by

                            I figured it was on this forum.
                            I am learning as I go. I was able to get a RDP access setup!

                            1 Reply Last reply Reply Quote 0
                            • johnpozJ Offline
                              johnpoz LAYER 8 Global Moderator
                              last edited by

                              @gus17 said in DNS Forwarder Host Overrides and Domain Overrides:

                              I was able to get a RDP access setup!

                              Through a vpn? I would never in a million years setup RDP from the public internet.. Do you have it locked down to a known source IP?

                              Even MS has came out and finally said its a bad idea.. And there are many security implications with doing it.. They even patched out of support systems because of the major exploit that came out last year.
                              https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708

                              The best thing you could do for this company would make sure RDP is not open to the public internet, it that it is accessed in a secure manner - via a vpn, or locked down to specific source IPs of the people that need to access it.

                              And making sure any of their systems are currently patched..

                              An intelligent man is sometimes forced to be drunk to spend time with his fools
                              If you get confused: Listen to the Music Play
                              Please don't Chat/PM me for help, unless mod related
                              SG-4860 24.11 | Lab VMs 2.8, 24.11

                              1 Reply Last reply Reply Quote 0
                              • G Offline
                                gus17
                                last edited by

                                I believe it was setup previously with static IP. It was setup in the NAT and rules for routing. I had to go in and put in a different IPv4 address for the workstation. It was routed through 3391.

                                1 Reply Last reply Reply Quote 0
                                • johnpozJ Offline
                                  johnpoz LAYER 8 Global Moderator
                                  last edited by

                                  Static IP on your end has nothing do with it.. Its the source IP!!! Who the user is - you would look it down to their IP..

                                  Trying to hide the port isn't secure either... There really is no secure way to allow users to rdp into some machine on your network other than VPN.. Or locking down the connection to their know source IP..

                                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                                  If you get confused: Listen to the Music Play
                                  Please don't Chat/PM me for help, unless mod related
                                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                                  1 Reply Last reply Reply Quote 0
                                  • G Offline
                                    gus17
                                    last edited by

                                    I put int the public IP address 24.211.x.x. then : and port number. Port number routes to workstation 192.168.x.x then login password.

                                    1 Reply Last reply Reply Quote 0
                                    • johnpozJ Offline
                                      johnpoz LAYER 8 Global Moderator
                                      last edited by johnpoz

                                      And that is not their IP... Anyone from the internet could hit that!

                                      For example say I was one of your users.. And I needed to get to this RDP... You would lock the rule down to my IP 64.53.A.B - going to your IP 24.211.x.x only my IP could hit that, if they were coming from 64.53.A.C they wouldn't get forwarded.

                                      You can create a alias that contains all the IPs of your users.. Which works when you know what the user IPs are.. Or they have dynamic IPs setup via ddns.. Where name say john.somedomain.tld gets update if my IP say changed to 64.53.A.Z

                                      The simpler solution where you don't need to know the uses IP is setup a VPN... Where they have to have the credentials to auth to the VPN.. this is cert that you have issued them, and a username and password.. And ONLY once they have authed to the vpn can they even access the remote desktop box... And then they have to auth to that..

                                      With how you have it setup - anyone from anywhere could hit your IP.. And try and access rdp - and once they see oh rdp... They can brute force trying to guess the username/password - or as with that issue I linked to there is some exploit they don't even have to auth..

                                      Remote desktop open to the public internet is very risky!!! I would never suggest anyone do that! Ever!!! Changing your port and trying to hide doesn't really make it any more secure.. The old saying "security through obscurity is not security"

                                      edit: I just looked - look at the hits to your "changed" port 3391

                                      3391.jpg

                                      In the last 24 hours or so.. Those IPs are from all over.. That first one 185.151 is from russia.. that next one is from the netherlands... Trying to hide your port is not security.

                                      I don't have that port forwarded, its just dropped by pfsense (it doing its job).. But my point is showing that there is plenty of bad stuff out there looking for stuff you have open trying to do bad stuff..

                                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                                      If you get confused: Listen to the Music Play
                                      Please don't Chat/PM me for help, unless mod related
                                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                                      1 Reply Last reply Reply Quote 0
                                      • G Offline
                                        gus17
                                        last edited by

                                        I understand. I will have to do some research on the VPN and what it will take.
                                        I keep hearing how expensive setting up VPN's can be.
                                        RDP was pretty easy, but I see the security concerns it can create.
                                        I appreciate the honest assessment.

                                        1 Reply Last reply Reply Quote 0
                                        • johnpozJ Offline
                                          johnpoz LAYER 8 Global Moderator
                                          last edited by johnpoz

                                          @gus17 said in DNS Forwarder Host Overrides and Domain Overrides:

                                          I keep hearing how expensive setting up VPN's can be.

                                          Huh? Pfsense is your vpn server, does it out of the box.. All you need to do is set it up.. Clicky clicky ;)

                                          https://docs.netgate.com/pfsense/en/latest/vpn/openvpn/openvpn-remote-access-server.html

                                          Here is video netgate put out pretty recent
                                          https://www.youtube.com/watch?v=jQHqPq7ftz4

                                          Depending what exactly your users are doing - you might not even need them to rdp to anything... If they are just accessing say some file shares or whatever.. A vpn lets the user be like they are on the local network - just a bit slower because you constrained be the speed of the sites internet connection, and or the remote users connection..

                                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                                          If you get confused: Listen to the Music Play
                                          Please don't Chat/PM me for help, unless mod related
                                          SG-4860 24.11 | Lab VMs 2.8, 24.11

                                          1 Reply Last reply Reply Quote 0
                                          • G Offline
                                            gus17
                                            last edited by

                                            Going through OpenVPN setup wizard?

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.