Which Interfaces Should I Apply Rules To And Watch?


  • I have question about which interfaces to apply the pfBlockerNG rules to so that items I want blocked are not allowed to go out to to the internet. My network consists of the following:

    a.) LAN - that routes traffic out of my WAN to my ISP and then out to the internet.

    b.) OpenVPN Gateway Group - that routes traffic out the WAN through 3 vpn tunnels to a VPN provider then out to the internet.

    c.) Multiple vlans - that have firewall rules to policy route traffic either out through the LAN or the Openvpn Gateway Group.

    Am I correct in my assumption that any pfBlockerNG rules set on the LAN or OpenVPN firewalls would also be applied to any packets if they were coming from the VLANs? If this is correct then there wouldn't really need to be any pfBlockerNG rules on the VLANs unless there was a need to apply a more restrictive rule to a specific VLAN?

    I now that the above only applies to IP blocking as DNS blocking is done by Unbound and not the firewall. But I'm also wondering about which interfaces to watch in Unbound. The LAN and VLANs have port forwards to direct all DNS requests to the IP address of pfSense which on the LAN (192.168.163.1). Unbound is set up to route those DNS requests out through the OpenVpn Gateway Group.

    Currently in General DNS Resolver Settings I have the following selected:
    Network Interfaces: All
    Outgoing Network Interfaces: I have selected the 3 OpenVPN connections to my VPN provider.

    Can someone confirm that the interfaces checked above would be the correct way to have unbound set up?

    Thanks in advance for your help.