Needing help from the jungles of Papua New Guinea
-
@cobra_phil said in Needing help from the jungles of Papua New Guinea:
I created a bridge between VLAN20 and the WAN port.
You basically turned pfSense into a switch ?.?
Papua forest or not : a design would be nice.
-
I've greatly simplified my testing setup. I've removed the campus DHCP server, the Ubiquiti AP's, and the Vlan. All I have connected to the pfsense box is the ISP provided Ethernet cable which, via their DHCP server, gives out the IP addresses, DNS server, Gateway, etc., a windows client on the LAN port, and my laptop on the OPT2 port.
WAN is configured with IPv4 and IPv6 as none.
LAN is configured with IPv4 and IPv6 as none.
OPT2(Admin) is configured with Static IP 192.168.0.99All DHCP services disabled.
There is a bridge between WAN and LAN.
pfsense running version 2.5.0-release
pfblocker running version 3.0.0_15
pfblocker is setup with default settings. No additional filtering enabled.Internet on the client works fine until I block DNS on the WAN.
Nslookup times out after 2 seconds. Can not ping 10.10.10.1.
If I disable the block on WAN DNS, internet works.
If I enable the block on WAN DNS, internet does not work.The only difference I see between this setup and other videos I have seen is the bridge between WAN and LAN. I am at my wits end. Thanks for any help.
-
@cobra_phil
When you block outgoing DNS on the WAN, pfSense itself cannot access DNS servers anymore as well. There are much better ways to ensure that the internal clients use the local DNS: https://docs.netgate.com/pfsense/en/latest/recipes/dns-redirect.html. -
@viragomann
Thanks for the suggestion. I tried that setting and the DNS query still went to the ISP assigned DNS server. It seem like no matter what I try, the query either gets blocked or it goes back to the ISP assign DNS server. It seems that since I have a bridge between the LAN and WAN ports, and the clients are assigned IP, Gateway, and DNS from the ISP's DHCP server, I am not able to intercept and redirect the DNS queries. I've watched dozens of YouTube videos and for most people, pfblockerng seems to just work. I've reloaded and started pfsense/pfblockerng from scratch at least 2 dozen times now over the last 4 days without making any progress. Any other suggestions? -
@cobra_phil said in Needing help from the jungles of Papua New Guinea:
Any other suggestions?
Don't do this :
@cobra_phil said in Needing help from the jungles of Papua New Guinea:
I have a bridge between the LAN and WAN ports
as clients gets DHCP info from the ISP, because its bypassed pfSense.
Bypassed for everything.
Also for DNS.
I wonder what your pfSens is actually doing / used for. -
@cobra_phil
Redirecting the DNS traffic should work anyway.
Possibly unbound sends it's traffic to the ISPs DNS. Or you did something wrong. Since you don't provide your settings, it's hard to say.
You can sniff the packets to see, what's going on.However, also not clear what the goal of the WAN-LAN bridge is indeed. If you only want your clients to pull network settings from the ISP you can enable the DHCP relay and configure the clients network accordingly.
-
I'm not entirely sure what your goals are and this setup seems highly unusual. What is the purpose of the bridge between wan and lan? Why would you not have pfSense act as the gateway to your private network and use NAT to translate the individual clients on your network to the ISP? That would be a more plain vanilla setup.
ISP -----> Public IP address (via DHCP) ------> pfSense WAN interface ------> NAT ------->
Private LAN addresses -----> windows client / WirelessAP / laptop(s) / other clients and services.Can you start at the beginning and state your big picture goal(s)?
-
@mdouglass108
The ISP uses access cards (login and password) for clients to get access to internet. So, the clients have to get their IP address from the ISP DHCP server. They cannot get it from our router's DHCP server. Each client gets their own ISP assigned IP address and when their allotted data is used up, they are disconnected. I can get the clients internet access, but I can not figure out how to intercept the ISP assigned DNS server to assign our own DNS server for filtering. -
So your goal is to give each client internet access but be able to control DNS and filter content? Are there any other goals?
The way you have it now with the bridge between WAN and LAN is effectively the same as if you plugged a cable from WAN directly into LAN and completely bypassed your pfsense box. It would also be similar if you plugged all your clients into the same switch and just relied on the ISP to sort out DHCP, DNS, etc.
If I am reading between the lines correctly, the ISP has assigned your organization a group of IP addresses via a DHCP pool of their choosing. When your client "plugs in" either physically or over wifi, they are assigned an IP address and then have to enter some credentials to get internet access. This allows the ISP to verify clients and log usage to enforce data caps.
Are addresses assigned by the ISP to each client IPv4 or IPv6? Publicly route-able addresses (each client visible to the internet at large) or private addresses (behind an ISP gateway that controls access to the internet at large)?
Address ranges reserved for private use are:
10.0.0.0/8 = 10.0.0.0 through 10.255.255.255
172.16.0.0/12 = 172.16.0.0 through 172.31.255.255
192.168.0.0/16 = 192.168.0.0 through 192.168.255.255How many physical Ethernet ports on the box you're using to run pfSense?
-
I just realized that some of the answers to my questions were available in some of the screenshots your posted a month ago in your original post. Here is my thinking from the 35,000 foot view........
- Configure pfSense to receive an address from ISP on WAN via their DHCP server
- Create a "management" interface on LAN with a private address range and its own DHCP server. This allows you to plug in a laptop or other host and talk to pfSense, manage firewall rules, DNS, pfBlocker etc. as well as any switches or wireless access points you might have
- Create a bridge interface with WAN & OPT1 where all your clients will connect. This will be a DMZ of sorts where your clients get addresses directly from ISP and can pass credentials, etc. See Internal / External Bridges on this page:
https://docs.netgate.com/pfsense/en/latest/bridges/index.html
- Create a series of firewall rules to intercept and redirect DNS traffic to pfSense.
- Configure Unbound to listen for DNS requests on OPT1. Unbound can then either act as a resolver and serve up the appropriate web addresses or forward those requests to your DNS provider of choice.
- pfBlocker can also be used on pfSense defined interfaces (WAN, LAN, OPT1....) to filter content, IP ranges, etc.
Hope this helps. I'm far (far, far) from an expert but let me know how you want to proceed.
Cheers.
