DNS Rules does not work properly in Pfsense 2.1



  • Hy all. I have a problem with pfsense 2.1. When I wake computer(windows 8.1) from sleep in the morning pfsense block dns requests. I have a rule to pass trafic from lan subnet to lan adress port 53(dns) but this rule does not work properly. In firewall logs i can see that this rule does not work sometime(i can see blocked dns requests from lan).In the morning for example i have to login to firewall and disable/enable dns rule to work properly. This rule is locked somehow. I have a pppoe connection and periodic reset at hour 06 AM.


  • Rebel Alliance Global Moderator

    for both udp and tcp - dns can and does use tcp depending.

    The default lan rule allows all outbound traffic be it to the lan address or the internet for all ports.  So what rules have you put in place to change this?

    Can you post up your lan rules.



  • I found somethig in general section. I think periodic reset was started at 06:00:00. At the end you can see that I started computer at 12:18:15. The only way to get internet work was to login to pfsense and disable/enable dns rule.

    Nov 19 06:00:00 check_reload_status: Configuring interface wan
    Nov 19 06:00:03 check_reload_status: Rewriting resolv.conf
    Nov 19 06:00:04 php: rc.interfaces_wan_configure: Starting 3gstats.php on device '' for interface 'wan'
    Nov 19 06:00:12 php: rc.newwanip: ROUTING: setting default route to 10.0.0.1
    Nov 19 06:00:12 php: rc.newwanip: ROUTING: setting IPv6 default route to fe80::1%em0
    Nov 19 06:00:13 php: rc.newwanip: ROUTING: setting default route to 10.0.0.1
    Nov 19 06:00:14 php: rc.newwanip: ROUTING: setting IPv6 default route to fe80::1%em0
    Nov 19 06:00:18 php: rc.newwanip: Resyncing OpenVPN instances for interface WANPPPOE.
    Nov 19 06:00:18 php: rc.newwanip: Creating rrd update script
    Nov 19 06:00:19 php: rc.newwanip: Resyncing OpenVPN instances for interface WANPPPOE.
    Nov 19 06:00:19 php: rc.newwanip: Creating rrd update script
    Nov 19 06:00:20 php: rc.newwanip: pfSense package system has detected an ip change 188.24.122.13 -> 188.24.117.177 … Restarting packages.
    Nov 19 06:00:20 check_reload_status: Starting packages
    Nov 19 06:00:20 check_reload_status: Reloading filter
    Nov 19 06:00:21 php: rc.newwanip: pfSense package system has detected an ip change 188.24.117.177 -> 188.24.117.177 ... Restarting packages.
    Nov 19 06:00:23 php: rc.start_packages: Restarting/Starting all packages.
    Nov 19 06:00:34 check_reload_status: updating dyndns WANPPPOE_PPPOE
    Nov 19 06:00:34 check_reload_status: Restarting ipsec tunnels
    Nov 19 06:00:34 check_reload_status: Restarting OpenVPN tunnels/interfaces
    Nov 19 06:00:34 check_reload_status: Reloading filter
    Nov 19 12:18:15 check_reload_status: Linkup starting re0
    Nov 19 12:18:15 kernel: re0: link state changed to UP
    Nov 19 12:18:18 php: rc.linkup: DEVD Ethernet attached event for lan
    Nov 19 12:18:18 php: rc.linkup: HOTPLUG: Configuring interface lan
    Nov 19 12:18:18 php: rc.linkup: The command '/sbin/ifconfig 're0' inet delete' returned exit code '1', the output was 'ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address'
    Nov 19 12:18:25 check_reload_status: updating dyndns lan
    Nov 19 12:18:58 php: /index.php: Successful login for user 'admin' from: 192.168.1.101
    Nov 19 12:18:58 php: /index.php: Successful login for user 'admin' from: 192.168.1.101
    Nov 19 12:21:36 check_reload_status: Syncing firewall
    Nov 19 12:21:41 check_reload_status: Reloading filter


  • Rebel Alliance Global Moderator

    Ok clearly you don't understand how the firewall rules work - -since every rule you have there is pointless with that last rule.. Where you allow all.  Its nice you put a label on it called torrents - but your saying your lan can go anywhere on any port.  Be that your lan address or the internet on dns or not, etc.

    So you allow 80 from lan, where is it you block everything else.  Rules are processed top to bottom..  All your rules are allow, then last rule is allow all.  So they are pointless to have any of those rules there..  Other than the last one.

    Now clearly you got something messed up if you have to reset anything to get internet, but it has nothing to do with that dns rule.  You need to look elsewhere, and you might as well redo those rules, because they are all pointless ;)

    What is it you want to accomplish - and be happy to help you right the rules.  If you want to only allow access to pfsense for dns, that is easy enough - but not when you have an allow any any at the end ;)



  • Sorry but last rule(torrents) actually use port 40000, and I think understand how rules work. Just for security reasons I edited that picture and modified torrents port to any. Sorry for that but Port used for torrents is actually 40000.


  • Rebel Alliance Global Moderator

    So you don't understand how torrents work then?  These are your lan rules, so you only allow to talk to other people in the swarm on port 40000?  What is that like 3 other people on the planet? ;)

    Or you have your rule set to source port 40000?  I am quite sure your client uses random source ports for when it talks to others in the swarm or seeders.. It might listen on 40000.  But those return connections would be allowed by your state table in you forwarded 40000 into your client, etc.

    Why would think you need to hide something like that?  Do we know your IP address?  Do we even know your netblock?  What does it matter then?



  • Problem solved! PPPOE periodic reset deactivated and now everything is fine. That option does not work.