Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Difference between ????

    Scheduled Pinned Locked Moved General pfSense Questions
    12 Posts 3 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • X
      xlameee
      last edited by xlameee

      Hello

      What is the difference between LAN_Address and This Firewall and witch one is better when you set rules for DNS with BIND package for example:

      PASS
      LAN
      IPv4
      TCP/UDP

      Source ANY
      Destination "LAN_Address or This Firewall"
      Destination Port 53,853

      Thank you

      S 1 Reply Last reply Reply Quote 0
      • S
        SteveITS Galactic Empire @xlameee
        last edited by

        This Firewall is all addresses in pfSense. https://forum.netgate.com/topic/117527/this-firewall-self-what-does-it-do

        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
        Upvote ๐Ÿ‘ helpful posts!

        X 1 Reply Last reply Reply Quote 1
        • X
          xlameee @SteveITS
          last edited by xlameee

          @teamits witch one is better when set DNS rules for BIND package

          S 1 Reply Last reply Reply Quote 0
          • S
            SteveITS Galactic Empire @xlameee
            last edited by

            It depends on what you're trying to do...does the firewall rule need to apply to just LAN or LAN/WAN/etc.?

            Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
            When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
            Upvote ๐Ÿ‘ helpful posts!

            X 1 Reply Last reply Reply Quote 0
            • X
              xlameee @SteveITS
              last edited by xlameee

              @teamits I just want hosts on the LAN to resolve with BIND DNS package on pfsense

              johnpozJ 1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator @xlameee
                last edited by

                The "this firewall" would normally be used in a block rule... Say you want to make sure that dmz devices can not talk to firewall on any of its IP, like its wan which is normally public.. When you have an any rule for any for internet..

                The lan address as destination would be fine for dns.. For your lan clients. Not sure why your including 853 there. Do you have bind doing TLS for your own local clients?? This seems pointless to me.. Who would be sniffing traffic on your lan that it would make sense to encrypt your local dns traffic.

                Keep in mind that rules are evaluated top down, first rule to trigger wins, not other rules are evaluated. Would really suggest if you have questions of rules, that you post up the actual rules you have in place on that interface. And any rules you might have on floating.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                X 1 Reply Last reply Reply Quote 1
                • X
                  xlameee @johnpoz
                  last edited by

                  @johnpoz for a floating rule I have only block IPv6 for logging only

                  Sorry this is off the topic, but I am currently in a loop thinking how to begin
                  Just question:
                  I have 2 firewalls on 2 different sites connected via site-to-site openvpn
                  both have BIND package installed.
                  they are in the zone
                  site1 - site1.domain.local - primary server
                  site2 - site2.domain.local - Secondary server

                  ---Primary DNS Settings
                  IP Version : IPv4 only
                  Listen on : all of my LAN interfaces without a WAN and loopback
                  ---Primary DNS ACLs
                  I left All default ACLs
                  ---Primary DNS VIEWS
                  View Name : internalview
                  Recursion : YES
                  match-clients : ANY
                  allow-recursion : localnets (I am not sure witch one is best for local DNS only)

                  --- Primary DNS Zones:
                  Question : Should I have domain.local zone at all
                  P.S. Currently I am giving an example with 1 domain only just to understand the basics of BIND and how to set proper rules on pfsense but in fact I am planning to host more then 1 domain

                  I already set the zone

                  Domain zone configuration:
                  Zone Name : site1.domain.local
                  Zone type : Master
                  View : internalview

                  DNSSEC:

                  Left all default

                  --- Master Zone Configuration:

                  P.S Here where my loop begin

                  Name Server: In this simple case site1.domain.local is going to be for all my hosts on all my interfaces on this firewall so I set it to 127.0.0.1 and Base Domain IP to my LAN interface 192.168.5.2

                  but.....

                  If this zone is site2.domain.local witch is on my other site of the VPN how should I setup "Name Server" and "Base Domain IP"

                  OK ...
                  allow-update : because is my primary DNS I set to none
                  allow-query : ANY
                  allow-transfer : ?????? I need to set and ACL for my Secondary DNS server but witch IP should I include into the ACL the LAN IP of site2.domain.local

                  Zone Domain records:

                  I have added a few records just for testing
                  ----Sync Tab on BIND

                  Automatically sync BIND configuration Changes : Sync to configured system backup server
                  Sync Timeout: Default 30 Seconds
                  Zone Master IP : ?????????
                  Remote Server: ????????????

                  Now the rules .....

                  I have no idea how and where to set the rules so the Secondary DNS server can update!!!!
                  Here is what it says:
                  Do not forget to:
                  Create firewall rules to allow zone transfer between master and slave servers.
                  Create ACLs with these slave servers.
                  Include created ACLs on allow-transfer option in zone configuration.

                  ??????????????????????????????????????????????????????????????????

                  Should I add Slave zones on the secondary DNS Server or with this option it will sync automatically and convert them to slave zones

                  On my VM LAB site witch is site3 I have setup a bind witch host only 1 zone and all working fine but I am tired of adding each host on 3 different sites and when I start adding more domains into my network there where I am going to mess up everything I hope you understand how much I need to learn the basics of bind and then I am sure I can take care of more complicated configuration.

                  I understand the basic DNS tree in theory, but actually the configurations are little confusing. Most of the articles I find are not GUI related so many configurations on this package, but I don't think I need most of them for my internal network

                  Thank you

                  johnpozJ 1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator @xlameee
                    last edited by

                    @xlameee said in Difference between ????:

                    site1.domain.local

                    Sorry I didn't get past .local - you are not actually using that as your tld are you?

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                    X 2 Replies Last reply Reply Quote 0
                    • X
                      xlameee @johnpoz
                      last edited by

                      @johnpoz No this is not my actual domain just an example

                      1 Reply Last reply Reply Quote 0
                      • X
                        xlameee @johnpoz
                        last edited by

                        @johnpoz anyone

                        johnpozJ 1 Reply Last reply Reply Quote 0
                        • johnpozJ
                          johnpoz LAYER 8 Global Moderator @xlameee
                          last edited by

                          Horrible example :) if you don't want to give out your tld, then use say .tld ;)

                          So you want your 2 servers to be slave for the zone in the other NS?

                          So you have zone site1.domain.tld on NS1, and you want NS2 to be slave to this.

                          And then for site2.domain.tld on NS2, you want NS1 to slave this?

                          Or you want NS1 to be SOA for both zones and slave them to NS2?

                          Maybe I need more coffee, let me have some and then will reread your post..

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                          X 1 Reply Last reply Reply Quote 0
                          • X
                            xlameee @johnpoz
                            last edited by xlameee

                            @johnpoz hello

                            I have 2 pfsense with bind connected via site to site openvpn :)

                            I need my site 1 to be the master and site 2 to be the secondary

                            I need site 1 to have all the zones on site 1 and site 2 as master zones

                            The point is to add hosts only on site 1 witch is the master and those entry to be synced to site 2 so I don't have to enter them on site 2 also to be able to resolve them there as well. Like the build in resolver on pfsense (if I want to resolve host on site witch is actually host on site 2 I have to put entry into the resolver on site 1) Right.

                            :)

                            and ... the rules witch are confusing me

                            What rules should I set so both sites can sync with this function or in any other way

                            bind-xmlrpc-sync.jpg

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.