Needing help from the jungles of Papua New Guinea
I serve as a missionary at a small Bible College in the Highlands of Papua New Guinea. We have approximately 60 computers and other connected devices on our network which also includes a DHCP server. The internet service that we use is from a long haul radio system where we have to use the ISP's DHCP server to get service. As each user logs in, they are assigned an IP address to keep track of their data usage. To allow two DHCP servers on our network, I installed a pfsense box running version 2.5.0 and have created a VLAN, VLAN 20, on our Ubiquiti AP's and pfsense box. I have very little networking experience, my background is in industrial automation and programming. To get the clients on the internet, I created a bridge between VLAN20 and the WAN port. I am not sure that is the correct way of doing it, but it works. The LAN has an IP address of 192.168.0.99 for admin purposes. The WAN and VLAN20 are setup as IPv4 Configuration Type of None. All DHCP services on the pfsense box have been disabled.
Now I am trying to get pfblockerng working. I have installed the basic configuration with the DNS Resolver enabled in Unbound mode, VIP at 10.10.10.1, and Permit Firewall Rules Enabled on LAN and VLAN20.
When I configure rules on VLAN20 to block DNS queries to the WAN, I get a DNS timeout of 2 seconds from an unknown DNS server and then a good failover response from the DNS on the WAN which is what I would expect pfblockerng to try to do. I have removed the rules just trying to get something to work. No matter what I have tried, I cannot ping 10.10.10.1 even when the echo rule is added.
I know this is something simple, I just don't understand enough about rules, routes, etc., to now where to start or how to fix it. As far as my understanding, I am not using NAT because each client is getting an IP address from the WAN which is our ISP's requirement. I've banged my head against the wall for 2 days now trying different setups....looking for some help. Thanks.
Gertjan last edited by
I've greatly simplified my testing setup. I've removed the campus DHCP server, the Ubiquiti AP's, and the Vlan. All I have connected to the pfsense box is the ISP provided Ethernet cable which, via their DHCP server, gives out the IP addresses, DNS server, Gateway, etc., a windows client on the LAN port, and my laptop on the OPT2 port.
WAN is configured with IPv4 and IPv6 as none.
LAN is configured with IPv4 and IPv6 as none.
OPT2(Admin) is configured with Static IP 192.168.0.99
All DHCP services disabled.
There is a bridge between WAN and LAN.
pfsense running version 2.5.0-release
pfblocker running version 3.0.0_15
pfblocker is setup with default settings. No additional filtering enabled.
Internet on the client works fine until I block DNS on the WAN.
Nslookup times out after 2 seconds. Can not ping 10.10.10.1.
If I disable the block on WAN DNS, internet works.
If I enable the block on WAN DNS, internet does not work.
The only difference I see between this setup and other videos I have seen is the bridge between WAN and LAN. I am at my wits end. Thanks for any help.
When you block outgoing DNS on the WAN, pfSense itself cannot access DNS servers anymore as well. There are much better ways to ensure that the internal clients use the local DNS: https://docs.netgate.com/pfsense/en/latest/recipes/dns-redirect.html.
Thanks for the suggestion. I tried that setting and the DNS query still went to the ISP assigned DNS server. It seem like no matter what I try, the query either gets blocked or it goes back to the ISP assign DNS server. It seems that since I have a bridge between the LAN and WAN ports, and the clients are assigned IP, Gateway, and DNS from the ISP's DHCP server, I am not able to intercept and redirect the DNS queries. I've watched dozens of YouTube videos and for most people, pfblockerng seems to just work. I've reloaded and started pfsense/pfblockerng from scratch at least 2 dozen times now over the last 4 days without making any progress. Any other suggestions?
Gertjan last edited by
Any other suggestions?
Don't do this :
I have a bridge between the LAN and WAN ports
as clients gets DHCP info from the ISP, because its bypassed pfSense.
Bypassed for everything.
Also for DNS.
I wonder what your pfSens is actually doing / used for.
Redirecting the DNS traffic should work anyway.
Possibly unbound sends it's traffic to the ISPs DNS. Or you did something wrong. Since you don't provide your settings, it's hard to say.
You can sniff the packets to see, what's going on.
However, also not clear what the goal of the WAN-LAN bridge is indeed. If you only want your clients to pull network settings from the ISP you can enable the DHCP relay and configure the clients network accordingly.
I'm not entirely sure what your goals are and this setup seems highly unusual. What is the purpose of the bridge between wan and lan? Why would you not have pfSense act as the gateway to your private network and use NAT to translate the individual clients on your network to the ISP? That would be a more plain vanilla setup.
ISP -----> Public IP address (via DHCP) ------> pfSense WAN interface ------> NAT ------->
Private LAN addresses -----> windows client / WirelessAP / laptop(s) / other clients and services.
Can you start at the beginning and state your big picture goal(s)?
The ISP uses access cards (login and password) for clients to get access to internet. So, the clients have to get their IP address from the ISP DHCP server. They cannot get it from our router's DHCP server. Each client gets their own ISP assigned IP address and when their allotted data is used up, they are disconnected. I can get the clients internet access, but I can not figure out how to intercept the ISP assigned DNS server to assign our own DNS server for filtering.
So your goal is to give each client internet access but be able to control DNS and filter content? Are there any other goals?
The way you have it now with the bridge between WAN and LAN is effectively the same as if you plugged a cable from WAN directly into LAN and completely bypassed your pfsense box. It would also be similar if you plugged all your clients into the same switch and just relied on the ISP to sort out DHCP, DNS, etc.
If I am reading between the lines correctly, the ISP has assigned your organization a group of IP addresses via a DHCP pool of their choosing. When your client "plugs in" either physically or over wifi, they are assigned an IP address and then have to enter some credentials to get internet access. This allows the ISP to verify clients and log usage to enforce data caps.
Are addresses assigned by the ISP to each client IPv4 or IPv6? Publicly route-able addresses (each client visible to the internet at large) or private addresses (behind an ISP gateway that controls access to the internet at large)?
Address ranges reserved for private use are:
10.0.0.0/8 = 10.0.0.0 through 10.255.255.255
172.16.0.0/12 = 172.16.0.0 through 172.31.255.255
192.168.0.0/16 = 192.168.0.0 through 192.168.255.255
How many physical Ethernet ports on the box you're using to run pfSense?
I just realized that some of the answers to my questions were available in some of the screenshots your posted a month ago in your original post. Here is my thinking from the 35,000 foot view........
- Configure pfSense to receive an address from ISP on WAN via their DHCP server
- Create a "management" interface on LAN with a private address range and its own DHCP server. This allows you to plug in a laptop or other host and talk to pfSense, manage firewall rules, DNS, pfBlocker etc. as well as any switches or wireless access points you might have
- Create a bridge interface with WAN & OPT1 where all your clients will connect. This will be a DMZ of sorts where your clients get addresses directly from ISP and can pass credentials, etc. See Internal / External Bridges on this page:
- Create a series of firewall rules to intercept and redirect DNS traffic to pfSense.
- Configure Unbound to listen for DNS requests on OPT1. Unbound can then either act as a resolver and serve up the appropriate web addresses or forward those requests to your DNS provider of choice.
- pfBlocker can also be used on pfSense defined interfaces (WAN, LAN, OPT1....) to filter content, IP ranges, etc.
Hope this helps. I'm far (far, far) from an expert but let me know how you want to proceed.