[SOLVED] Help: Example basic configuration: Outbound LAN: Allow DNS access setup



  • Hello

    I took my first steps with pfSense firewall settings, Your help is greatly appreciated.
    I would like to configure pfSense 2.1 like this example: https://doc.pfsense.org/index.php/Example_basic_configuration

    My present firewall LAN rules:

    picture(1)

    I want to know how/where to enter Outbound LAN point 2. values in this window picture 2:

    2.  Allow DNS access - if pfSense is your dns you can set lan address, if using outside dns create rule to allow 53 to anywhere

    1.  Allow TCP/UDP 53 (DNS) from LAN subnet to anywhere
        2.  Allow TCP/UDP 53 (DNS) from LAN subnet to LAN Address

    picture (2)

    If someone can show me the correct settings on a screenshot or video, I could understand how to start the right way.

    Thank you.



  • @exnsmoker:

    Hello

    I took my first steps with pfSense firewall settings, Your help is greatly appreciated.
    I would like to configure pfSense 2.1 like this example: https://doc.pfsense.org/index.php/Example_basic_configuration

    My present firewall LAN rules:

    picture(1)

    I want to know how/where to enter Outbound LAN point 2. values in this window picture 2:

    The rules on your Lan tab is where you configure both inbound and outbound rules.

    In picture 1, the two default rules are your outbound rules, ie the source Lan net means any lan side client can go anywhere with ipv4 & ipv6.

    2.  Allow DNS access - if pfsense is your dns you can set lan address, if using outside dns create rule to allow 53 to anywhere

    1.  Allow TCP/UDP 53 (DNS) from LAN subnet to anywhere
        2.  Allow TCP/UDP 53 (DNS) from LAN subnet to LAN Address

    picture (2)

    1.  Allow TCP/UDP 53 (DNS) from LAN subnet to anywhere
    Lan Tab, add rule, change protocol to tcp/udp, change source to lan subnet, leave destination blank but change destination port to DNS or type in port 53 which should automatically make the second destination port also DNS or 53.

    2.  Allow TCP/UDP 53 (DNS) from LAN subnet to LAN Address
    Lan Tab, add rule, change protocol to tcp/udp, change source to lan subnet, change destination to lan address and change destination port to DNS or type in port 53 which should automatically make the second destination port also DNS or 53.

    Thats all there is to it. One tip, if you are ever unsure if a rule is working, just tick the option to log the packets then click on Status, System Logs, choose firewall tab and then see if your packets are getting blocked or not.

    Edit.

    One other point, if you are using the dns forwarder in pfsense, you can add more dns servers negating the need to have rule2 by going to system, general setup and add the additional dns servers to the 4 dns server fields.
    Edit2. And if you are using the DNS forwarder you dont need rule 1 either as pfsense handles this for you automatically so theres no need to create a "pass" rule.



  • 1.  Allow TCP/UDP 53 (DNS) from LAN subnet to anywhere
    Lan Tab, add rule, change Protocol to TCP/UDP, change Source to LAN subnet, leave Destination blank but change Destination port to DNS or type in port 53 which should automatically make the second destination port also DNS or 53.

    picture (3)

    2.  Allow TCP/UDP 53 (DNS) from LAN subnet to LAN Address
    Lan Tab, add rule, change Protocol to TCP/UDP, change Source to LAN subnet, change destination to LAN address and change destination port to DNS or type in port 53 which should automatically make the second destination port also DNS or 53.

    picture (4)

    I end up with the following rules

    picture (5)

    I disabled the two rules "Default allow LAN to any rule" and I lost and my internet connection.
    (I don't want to allow all rules for sure)

    picture (6)

    What should I do to keep my internet connection?
    Thank you very much for your help (and patience).



  • What is your WAN config like and are you using the built in dns forwarder?

    A "normal" install of pfsense doesnt normally require any of those DNS rules so it might be worth looking at the wan config side of things, maybe you have some rules there blocking your lan from accessing the net?

    A straight forward Wan & Lan (duel nic) setupusing ipv4 & ipv6 would have :
    Wan rules
    RFC 1918 networks                      Block private networks
    Reserved/not assigned by IANA Block bogon networks

    Lan rules
    Destination LAN Address 443/80 Anti-Lockout Rule
    Proto IPv4  Source LAN net Default allow LAN to any rule 
    Proto IPv6  Source LAN net Default allow LAN IPv6 to any rule

    And that would be enough to get net access with DNS entries either bing picked up from your router or putting the DNS server ip address in the System, General Setup, DNS servers fields.



  • For security concerns, I don't want to allow LAN to any rule. I'm looking to disable Proto IPv4  Source LAN net Default allow LAN to any rule and  Proto IPv6  Source LAN net Default allow LAN IPv6 to any rule. I'm looking to disable these 2 rules and keep my internet alive. Thanks.

    What is your WAN config like and are you using the built in dns forwarder?

    picture (7)

    picture ( 8 )

    picture (9)

    These are screen captures of my present settings. I did a default installation of pfSense (Quick/Easy Install). I have not changed any settings.

    Internet-> pfSense-> D-Link EBR-2310-> My Single Computer



  • Of course you lose internet connection, you're only allowing DNS out. If you go to your command prompt and type "nslookup" and then an internet address, such as google.com, you should be able to get DNS records. To actually allow HTTP and HTTPS traffic out, you need to allow those ports on your LAN firewall rules. Simply allowing DNS out is not enough to access web sites, only to resolve their addresses.



  • Of course you lose internet connection, you're only allowing DNS out. If you go to your command prompt and type "nslookup" and then an internet address, such as google.com, you should be able to get DNS records.

    picture (10)

    What should I do precisely and clearly with these data now.
    Thank you.



  • You should allow ports 80 and 443. I don't know how much more clear I can make that information.



  • You should allow ports 80 and 443. I don't know how much more clear I can make that information.

    Thank you for your answer timthetortoise

    If I understand correctly, I have to add 2 more rules to the picture (6)?
    I thought the first gray Anti-Lockout Rule (on top picture 6) LAN Address 443/80 was sufficient.

    So, I have to adjust the rules like picture (11), below. Right?

    picture (11)



  • The third rule (port 53 to LAN address) is unnecessary, but yes, that should work for you. If everything's in your LAN address' subnet, you could change the Source for all of them to LAN net - if, however, it's not all in the same subnet, but you still want it to be allowed out, you will want to either set up a network alias, or allow from any source.



  • The third rule (port 53 to LAN address) is unnecessary, but yes, that should work for you. If everything's in your LAN address' subnet, you could change the Source for all of them to LAN net

    As the following screenshot (picture 12) ?

    picture (12)



  • Well, does it work? If so, then yes. If not, then no. But for a basic network infrastructure, that should work fine.



  • Everything works, thanks a lot!


Log in to reply