Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DNS Rules does not work properly in Pfsense 2.1

    Scheduled Pinned Locked Moved Firewalling
    7 Posts 2 Posters 2.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      claudiudanila
      last edited by

      Hy all. I have a problem with pfsense 2.1. When I wake computer(windows 8.1) from sleep in the morning pfsense block dns requests. I have a rule to pass trafic from lan subnet to lan adress port 53(dns) but this rule does not work properly. In firewall logs i can see that this rule does not work sometime(i can see blocked dns requests from lan).In the morning for example i have to login to firewall and disable/enable dns rule to work properly. This rule is locked somehow. I have a pppoe connection and periodic reset at hour 06 AM.

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        for both udp and tcp - dns can and does use tcp depending.

        The default lan rule allows all outbound traffic be it to the lan address or the internet for all ports.  So what rules have you put in place to change this?

        Can you post up your lan rules.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

        1 Reply Last reply Reply Quote 0
        • C
          claudiudanila
          last edited by

          I found somethig in general section. I think periodic reset was started at 06:00:00. At the end you can see that I started computer at 12:18:15. The only way to get internet work was to login to pfsense and disable/enable dns rule.

          Nov 19 06:00:00 check_reload_status: Configuring interface wan
          Nov 19 06:00:03 check_reload_status: Rewriting resolv.conf
          Nov 19 06:00:04 php: rc.interfaces_wan_configure: Starting 3gstats.php on device '' for interface 'wan'
          Nov 19 06:00:12 php: rc.newwanip: ROUTING: setting default route to 10.0.0.1
          Nov 19 06:00:12 php: rc.newwanip: ROUTING: setting IPv6 default route to fe80::1%em0
          Nov 19 06:00:13 php: rc.newwanip: ROUTING: setting default route to 10.0.0.1
          Nov 19 06:00:14 php: rc.newwanip: ROUTING: setting IPv6 default route to fe80::1%em0
          Nov 19 06:00:18 php: rc.newwanip: Resyncing OpenVPN instances for interface WANPPPOE.
          Nov 19 06:00:18 php: rc.newwanip: Creating rrd update script
          Nov 19 06:00:19 php: rc.newwanip: Resyncing OpenVPN instances for interface WANPPPOE.
          Nov 19 06:00:19 php: rc.newwanip: Creating rrd update script
          Nov 19 06:00:20 php: rc.newwanip: pfSense package system has detected an ip change 188.24.122.13 -> 188.24.117.177 … Restarting packages.
          Nov 19 06:00:20 check_reload_status: Starting packages
          Nov 19 06:00:20 check_reload_status: Reloading filter
          Nov 19 06:00:21 php: rc.newwanip: pfSense package system has detected an ip change 188.24.117.177 -> 188.24.117.177 ... Restarting packages.
          Nov 19 06:00:23 php: rc.start_packages: Restarting/Starting all packages.
          Nov 19 06:00:34 check_reload_status: updating dyndns WANPPPOE_PPPOE
          Nov 19 06:00:34 check_reload_status: Restarting ipsec tunnels
          Nov 19 06:00:34 check_reload_status: Restarting OpenVPN tunnels/interfaces
          Nov 19 06:00:34 check_reload_status: Reloading filter
          Nov 19 12:18:15 check_reload_status: Linkup starting re0
          Nov 19 12:18:15 kernel: re0: link state changed to UP
          Nov 19 12:18:18 php: rc.linkup: DEVD Ethernet attached event for lan
          Nov 19 12:18:18 php: rc.linkup: HOTPLUG: Configuring interface lan
          Nov 19 12:18:18 php: rc.linkup: The command '/sbin/ifconfig 're0' inet delete' returned exit code '1', the output was 'ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address'
          Nov 19 12:18:25 check_reload_status: updating dyndns lan
          Nov 19 12:18:58 php: /index.php: Successful login for user 'admin' from: 192.168.1.101
          Nov 19 12:18:58 php: /index.php: Successful login for user 'admin' from: 192.168.1.101
          Nov 19 12:21:36 check_reload_status: Syncing firewall
          Nov 19 12:21:41 check_reload_status: Reloading filter

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            Ok clearly you don't understand how the firewall rules work - -since every rule you have there is pointless with that last rule.. Where you allow all.  Its nice you put a label on it called torrents - but your saying your lan can go anywhere on any port.  Be that your lan address or the internet on dns or not, etc.

            So you allow 80 from lan, where is it you block everything else.  Rules are processed top to bottom..  All your rules are allow, then last rule is allow all.  So they are pointless to have any of those rules there..  Other than the last one.

            Now clearly you got something messed up if you have to reset anything to get internet, but it has nothing to do with that dns rule.  You need to look elsewhere, and you might as well redo those rules, because they are all pointless ;)

            What is it you want to accomplish - and be happy to help you right the rules.  If you want to only allow access to pfsense for dns, that is easy enough - but not when you have an allow any any at the end ;)

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.7.2, 24.11

            1 Reply Last reply Reply Quote 0
            • C
              claudiudanila
              last edited by

              Sorry but last rule(torrents) actually use port 40000, and I think understand how rules work. Just for security reasons I edited that picture and modified torrents port to any. Sorry for that but Port used for torrents is actually 40000.

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                So you don't understand how torrents work then?  These are your lan rules, so you only allow to talk to other people in the swarm on port 40000?  What is that like 3 other people on the planet? ;)

                Or you have your rule set to source port 40000?  I am quite sure your client uses random source ports for when it talks to others in the swarm or seeders.. It might listen on 40000.  But those return connections would be allowed by your state table in you forwarded 40000 into your client, etc.

                Why would think you need to hide something like that?  Do we know your IP address?  Do we even know your netblock?  What does it matter then?

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                1 Reply Last reply Reply Quote 0
                • C
                  claudiudanila
                  last edited by

                  Problem solved! PPPOE periodic reset deactivated and now everything is fine. That option does not work.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.