Help a newbie - Please?
-
I'm very new to this, having fun learning!
I want to have my Netgate 2100 set up so that each of the four physical ethernet ports act as an independent LAN, completely isolated from the other LAN's, but with access to the internet.
I have installed pfBlockerNG which seems to be working fine
Everything seems fine except I can't get out onto the internet at all, I have this error message.............
Filter Reload
There were error(s) loading the rules: /tmp/rules.debug:74: syntax error - The line in question reads [74]: nat on mvneta0 inet proto tcp from 192.168.100.0/24 to 192.168.100.20 port -> (mvneta0)
@ 2023-09-24 13:31:49I'm close to doing a reset and starting again, that would seem defeatist, any help would be appreciated?
-
That looks like a NAT reflection rule that is somehow missing the port and is invalid.
Do you have port forwards configured?
Do you have NAT reflection enabled?
I'd first disable NAT reflection if you do and see if that removes the invalid line.
Steve
-
Appreciate your response thank you.
I don't understand what you've said, I'm well outta my depth with this.
I'm doing a factory reset and start again, moving forward a bit more slowly this time, try and understand what I'm doing, rather than just mindlessley following a set of instructions!
-
NAT reflection is explained here:
https://docs.netgate.com/pfsense/en/latest/nat/reflection.htmlIt's not enabled by default but that invalid rule line looks like it might have come from that somehow. Unclear how it could have happened though.
-
Thank you it makes sense to me, that'll be me broken it, no surprise there!
I had an earlier attempt at TLS over DNS to Cloudflare, I abandoned ship at needing a cert from Acme, this did mean I had fiddled with DNS settings as well as other settings.
Clearly a far more methodical approach is required, with lots of backups so if I can't make something work, I can restore to a working setup and try again.
-
You don't need a cert just to use DNS over TLS. Just enable that in Unbound (the DNS resolver) and set it in forwarding mode. Then set Cloudflare's servers in System > General Setup.
-
I got that working on my Mac which is wired and has wifi to the internet, it's also working on my MacBook which is wifi only, thank you.
I tested it with this..........
https://developers.cloudflare.com/1.1.1.1/check/#:~:text=Enter%20https%3A%2F%2F1.1.1.1,center%20you%20are%20connected%20to.
But it isn't working on my iPhone or my iPad, which are both on the same wifi as the MacBook, they are attached to a router in AP mode which in turn is plugged into the Netgate 2100.
It's no big deal as Cloudflare have a nice little app, which does DNS over TLS on the iPhone and iPad and the above link confirms it.
-
Those devices may not be using pfSense for DNS directly. In which case you would need to redirect or block other DNS if you needed that.
https://docs.netgate.com/pfsense/en/latest/recipes/dns-redirect.html -
@estwing said in Help a newbie - Please?:
TLS over DNS to Cloudflare
Like : Cloudflaire Docs : DNS over TLS
So : step one :
Step two : Services > DNS Resolver > General Settings
Make sure these are checked - or un checked :
If ok, validate - and done.
-
Appreciate the comments, at the moment I can't get this working, my best guess is I don't know what Python is and I don't have any Python module scripts.
My goal with this was some extra security for everything in and out of my house, without the problems of using a VPN like Proton or Surfshark or other such stuff, which all seems pretty hopeless!
-
You don't need to enable python mode unless you're using pfBlocker.
-
That's interesting, I am using pfBlocker!
-
OK, it's generally better to use python mode in that case especially if you have a large number of lists. It's a lot faster. Either should work though.
-
I do appreciate your help with this, I'm in way over my depth now, I can't do Python!
Only a few weeks ago I didn't have any idea what port forwarding was, never mind NAT. If I try and run before I can walk, a bad habit of mine, it won't end well. Hopefully I'm already a lot more secure than your average home user.
Sometimes the only way to learnt something is to get your hands dirty, so I bought a Netgate 2100, I'll keep at it, I will get my head around this, eventually!
-
You don't need to know anything about Python. That just sets the module Unbound is using to import the lists from pfBlocker.
