Needing help from the jungles of Papua New Guinea
I serve as a missionary at a small Bible College in the Highlands of Papua New Guinea. We have approximately 60 computers and other connected devices on our network which also includes a DHCP server. The internet service that we use is from a long haul radio system where we have to use the ISP's DHCP server to get service. As each user logs in, they are assigned an IP address to keep track of their data usage. To allow two DHCP servers on our network, I installed a pfsense box running version 2.5.0 and have created a VLAN, VLAN 20, on our Ubiquiti AP's and pfsense box. I have very little networking experience, my background is in industrial automation and programming. To get the clients on the internet, I created a bridge between VLAN20 and the WAN port. I am not sure that is the correct way of doing it, but it works. The LAN has an IP address of 192.168.0.99 for admin purposes. The WAN and VLAN20 are setup as IPv4 Configuration Type of None. All DHCP services on the pfsense box have been disabled.
Now I am trying to get pfblockerng working. I have installed the basic configuration with the DNS Resolver enabled in Unbound mode, VIP at 10.10.10.1, and Permit Firewall Rules Enabled on LAN and VLAN20.
When I configure rules on VLAN20 to block DNS queries to the WAN, I get a DNS timeout of 2 seconds from an unknown DNS server and then a good failover response from the DNS on the WAN which is what I would expect pfblockerng to try to do. I have removed the rules just trying to get something to work. No matter what I have tried, I cannot ping 10.10.10.1 even when the echo rule is added.
I know this is something simple, I just don't understand enough about rules, routes, etc., to now where to start or how to fix it. As far as my understanding, I am not using NAT because each client is getting an IP address from the WAN which is our ISP's requirement. I've banged my head against the wall for 2 days now trying different setups....looking for some help. Thanks.
Gertjan last edited by
I've greatly simplified my testing setup. I've removed the campus DHCP server, the Ubiquiti AP's, and the Vlan. All I have connected to the pfsense box is the ISP provided Ethernet cable which, via their DHCP server, gives out the IP addresses, DNS server, Gateway, etc., a windows client on the LAN port, and my laptop on the OPT2 port.
WAN is configured with IPv4 and IPv6 as none.
LAN is configured with IPv4 and IPv6 as none.
OPT2(Admin) is configured with Static IP 192.168.0.99
All DHCP services disabled.
There is a bridge between WAN and LAN.
pfsense running version 2.5.0-release
pfblocker running version 3.0.0_15
pfblocker is setup with default settings. No additional filtering enabled.
Internet on the client works fine until I block DNS on the WAN.
Nslookup times out after 2 seconds. Can not ping 10.10.10.1.
If I disable the block on WAN DNS, internet works.
If I enable the block on WAN DNS, internet does not work.
The only difference I see between this setup and other videos I have seen is the bridge between WAN and LAN. I am at my wits end. Thanks for any help.
When you block outgoing DNS on the WAN, pfSense itself cannot access DNS servers anymore as well. There are much better ways to ensure that the internal clients use the local DNS: https://docs.netgate.com/pfsense/en/latest/recipes/dns-redirect.html.
Thanks for the suggestion. I tried that setting and the DNS query still went to the ISP assigned DNS server. It seem like no matter what I try, the query either gets blocked or it goes back to the ISP assign DNS server. It seems that since I have a bridge between the LAN and WAN ports, and the clients are assigned IP, Gateway, and DNS from the ISP's DHCP server, I am not able to intercept and redirect the DNS queries. I've watched dozens of YouTube videos and for most people, pfblockerng seems to just work. I've reloaded and started pfsense/pfblockerng from scratch at least 2 dozen times now over the last 4 days without making any progress. Any other suggestions?
Gertjan last edited by
Any other suggestions?
Don't do this :
I have a bridge between the LAN and WAN ports
as clients gets DHCP info from the ISP, because its bypassed pfSense.
Bypassed for everything.
Also for DNS.
I wonder what your pfSens is actually doing / used for.
Redirecting the DNS traffic should work anyway.
Possibly unbound sends it's traffic to the ISPs DNS. Or you did something wrong. Since you don't provide your settings, it's hard to say.
You can sniff the packets to see, what's going on.
However, also not clear what the goal of the WAN-LAN bridge is indeed. If you only want your clients to pull network settings from the ISP you can enable the DHCP relay and configure the clients network accordingly.