[SOLVED] Help: Example basic configuration: Outbound LAN: Allow DNS access setup

exnsmoker · Sep 25, 2013, 6:38 PM

Hello

I took my first steps with pfSense firewall settings, Your help is greatly appreciated.
I would like to configure pfSense 2.1 like this example: https://doc.pfsense.org/index.php/Example_basic_configuration

My present firewall LAN rules:

picture(1)

I want to know how/where to enter Outbound LAN point 2. values in this window picture 2:

2. Allow DNS access - if pfSense is your dns you can set lan address, if using outside dns create rule to allow 53 to anywhere

1. Allow TCP/UDP 53 (DNS) from LAN subnet to anywhere
2. Allow TCP/UDP 53 (DNS) from LAN subnet to LAN Address

picture (2)

If someone can show me the correct settings on a screenshot or video, I could understand how to start the right way.

Thank you.

firewalluser · Sep 22, 2013, 8:19 PM

@exnsmoker:

Hello

I took my first steps with pfSense firewall settings, Your help is greatly appreciated.
I would like to configure pfSense 2.1 like this example: https://doc.pfsense.org/index.php/Example_basic_configuration

My present firewall LAN rules:

picture(1)

I want to know how/where to enter Outbound LAN point 2. values in this window picture 2:

The rules on your Lan tab is where you configure both inbound and outbound rules.

In picture 1, the two default rules are your outbound rules, ie the source Lan net means any lan side client can go anywhere with ipv4 & ipv6.

2. Allow DNS access - if pfsense is your dns you can set lan address, if using outside dns create rule to allow 53 to anywhere

1. Allow TCP/UDP 53 (DNS) from LAN subnet to anywhere
2. Allow TCP/UDP 53 (DNS) from LAN subnet to LAN Address

picture (2)

1. Allow TCP/UDP 53 (DNS) from LAN subnet to anywhere
Lan Tab, add rule, change protocol to tcp/udp, change source to lan subnet, leave destination blank but change destination port to DNS or type in port 53 which should automatically make the second destination port also DNS or 53.

2. Allow TCP/UDP 53 (DNS) from LAN subnet to LAN Address
Lan Tab, add rule, change protocol to tcp/udp, change source to lan subnet, change destination to lan address and change destination port to DNS or type in port 53 which should automatically make the second destination port also DNS or 53.

Thats all there is to it. One tip, if you are ever unsure if a rule is working, just tick the option to log the packets then click on Status, System Logs, choose firewall tab and then see if your packets are getting blocked or not.

Edit.

One other point, if you are using the dns forwarder in pfsense, you can add more dns servers negating the need to have rule2 by going to system, general setup and add the additional dns servers to the 4 dns server fields.
Edit2. And if you are using the DNS forwarder you dont need rule 1 either as pfsense handles this for you automatically so theres no need to create a "pass" rule.

exnsmoker · Sep 22, 2013, 11:10 PM

1. Allow TCP/UDP 53 (DNS) from LAN subnet to anywhere
Lan Tab, add rule, change Protocol to TCP/UDP, change Source to LAN subnet, leave Destination blank but change Destination port to DNS or type in port 53 which should automatically make the second destination port also DNS or 53.

picture (3)

2. Allow TCP/UDP 53 (DNS) from LAN subnet to LAN Address
Lan Tab, add rule, change Protocol to TCP/UDP, change Source to LAN subnet, change destination to LAN address and change destination port to DNS or type in port 53 which should automatically make the second destination port also DNS or 53.

picture (4)

I end up with the following rules

picture (5)

I disabled the two rules "Default allow LAN to any rule" and I lost and my internet connection.
(I don't want to allow all rules for sure)

picture (6)

What should I do to keep my internet connection?
Thank you very much for your help (and patience).

firewalluser · Sep 23, 2013, 9:17 AM

What is your WAN config like and are you using the built in dns forwarder?

A "normal" install of pfsense doesnt normally require any of those DNS rules so it might be worth looking at the wan config side of things, maybe you have some rules there blocking your lan from accessing the net?

A straight forward Wan & Lan (duel nic) setupusing ipv4 & ipv6 would have :
Wan rules
RFC 1918 networks Block private networks
Reserved/not assigned by IANA Block bogon networks

Lan rules
Destination LAN Address 443/80 Anti-Lockout Rule
Proto IPv4 Source LAN net Default allow LAN to any rule
Proto IPv6 Source LAN net Default allow LAN IPv6 to any rule

And that would be enough to get net access with DNS entries either bing picked up from your router or putting the DNS server ip address in the System, General Setup, DNS servers fields.

exnsmoker · Sep 23, 2013, 1:07 PM

For security concerns, I don't want to allow LAN to any rule. I'm looking to disable Proto IPv4 Source LAN net Default allow LAN to any rule and Proto IPv6 Source LAN net Default allow LAN IPv6 to any rule. I'm looking to disable these 2 rules and keep my internet alive. Thanks.

What is your WAN config like and are you using the built in dns forwarder?

picture (7)

picture ( 8 )

picture (9)

These are screen captures of my present settings. I did a default installation of pfSense (Quick/Easy Install). I have not changed any settings.

Internet-> pfSense-> D-Link EBR-2310-> My Single Computer

timthetortoise · Sep 23, 2013, 2:43 PM

Of course you lose internet connection, you're only allowing DNS out. If you go to your command prompt and type "nslookup" and then an internet address, such as google.com, you should be able to get DNS records. To actually allow HTTP and HTTPS traffic out, you need to allow those ports on your LAN firewall rules. Simply allowing DNS out is not enough to access web sites, only to resolve their addresses.

exnsmoker · Sep 25, 2013, 6:35 PM

Of course you lose internet connection, you're only allowing DNS out. If you go to your command prompt and type "nslookup" and then an internet address, such as google.com, you should be able to get DNS records.

picture (10)

What should I do precisely and clearly with these data now.
Thank you.

timthetortoise · Sep 24, 2013, 5:36 PM

You should allow ports 80 and 443. I don't know how much more clear I can make that information.

exnsmoker · Sep 25, 2013, 8:05 AM

You should allow ports 80 and 443. I don't know how much more clear I can make that information.

Thank you for your answer timthetortoise

If I understand correctly, I have to add 2 more rules to the picture (6)?
I thought the first gray Anti-Lockout Rule (on top picture 6) LAN Address 443/80 was sufficient.

So, I have to adjust the rules like picture (11), below. Right?

picture (11)

timthetortoise · Sep 25, 2013, 12:15 PM

The third rule (port 53 to LAN address) is unnecessary, but yes, that should work for you. If everything's in your LAN address' subnet, you could change the Source for all of them to LAN net - if, however, it's not all in the same subnet, but you still want it to be allowed out, you will want to either set up a network alias, or allow from any source.

exnsmoker · Sep 25, 2013, 5:50 PM

The third rule (port 53 to LAN address) is unnecessary, but yes, that should work for you. If everything's in your LAN address' subnet, you could change the Source for all of them to LAN net

As the following screenshot (picture 12) ?

picture (12)

timthetortoise · Sep 25, 2013, 6:17 PM

Well, does it work? If so, then yes. If not, then no. But for a basic network infrastructure, that should work fine.

exnsmoker · Sep 25, 2013, 6:40 PM

Everything works, thanks a lot!