Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfSense blocking all DNS

    Scheduled Pinned Locked Moved Firewalling
    12 Posts 4 Posters 5.5k Views 4 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D Offline
      DouggaDit @DouggaDit
      last edited by

      NSlookup on the server succeeds instantly.
      It fails at clients.

      D 1 Reply Last reply Reply Quote 0
      • D Offline
        DouggaDit @DouggaDit
        last edited by DouggaDit

        I found a problem experimenting with rules on the bridged interface.
        It seems the HOMEBRIDGE_subnets network alias does not work when creating rules. Applying rules to this appears to have no effect.

        Use any/* does work.
        I'm new to pfSense, but this looks like a bug.

        D 1 Reply Last reply Reply Quote 0
        • D Offline
          DouggaDit @DouggaDit
          last edited by DouggaDit

          Something else.
          The logs are showing an entry from the LAN interface which is a member of the HomeBridge bridged interface. Is this normal? Shouldn't the log show the traffic coming from the Bridge not the LAN interface?

          Firewall Log showing entries for both LAN & HomeBridge interfaces.
          c4f681c2-75d9-4b16-a7d9-5d7e84c912a7-image.png

          Bridge Definition
          3661012c-0384-458c-b83d-1404190aef4a-image.png

          The IP address is assigned on the Bridge Config page.

          Also, I have IPv6 turned off. Why are these logs showing this traffic?

          1 Reply Last reply Reply Quote 0
          • D Offline
            DouggaDit @DouggaDit
            last edited by DouggaDit

            The firewall is simply unstable.
            Integrated network aliases don't function.
            The firewall simply doesn't work.
            Rules to allow all on specific ports appear to be the only type of rule that work consistently. Attempting to narrow the 'allow' to specific ip addresses or networks fail. User defined and system defined interface-related aliases don't function.

            This forum is not a good use of my time.
            I assume the silence is simply bait to get people to switch to paid support.

            D PhizixP 2 Replies Last reply Reply Quote 0
            • S Offline
              SteveITS Rebel Alliance @DouggaDit
              last edited by

              @DouggaDit allow UDP in addition to TCP

              Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
              When upgrading, allow 10-15 minutes to reboot, or more depending on packages, and device or disk speed.
              Upvote ๐Ÿ‘ helpful posts!

              1 Reply Last reply Reply Quote 1
              • D Offline
                DouggaDit @DouggaDit
                last edited by

                Nice catch.
                Thanks!

                S 1 Reply Last reply Reply Quote 2
                • S Offline
                  SteveITS Rebel Alliance @DouggaDit
                  last edited by

                  A new rule in pfSense defaults to TCP protocol, it catches everyone. It's just safer than "any" I assume.

                  Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                  When upgrading, allow 10-15 minutes to reboot, or more depending on packages, and device or disk speed.
                  Upvote ๐Ÿ‘ helpful posts!

                  1 Reply Last reply Reply Quote 0
                  • PhizixP Offline
                    Phizix @DouggaDit
                    last edited by

                    @DouggaDit said in pfSense blocking all DNS:

                    This forum is not a good use of my time.
                    I assume the silence is simply bait to get people to switch to paid support.

                    In all fairness this was a long holiday weekend in the US.

                    Phizix

                    D 1 Reply Last reply Reply Quote 0
                    • D Offline
                      DouggaDit @Phizix
                      last edited by

                      @Phizix Ahhh I don't have the reputation point required to upvote this comment. Someone lurking is an asshat.

                      1 Reply Last reply Reply Quote 3
                      • tinfoilmattT Offline
                        tinfoilmatt
                        last edited by

                        @DouggaDit said in pfSense blocking all DNS:

                        The firewall is simply unstable.
                        Integrated network aliases don't function.
                        The firewall simply doesn't work.
                        Rules to allow all on specific ports appear to be the only type of rule that work consistently. Attempting to narrow the 'allow' to specific ip addresses or networks fail. User defined and system defined interface-related aliases don't function.

                        This forum is not a good use of my time.
                        I assume the silence is simply bait to get people to switch to paid support.

                        Safe to file this one under did-a-derp-and-kept-digging.

                        1 Reply Last reply Reply Quote 1
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.