Default DNS Queries blocked. Just allow all rule working



  • Hi,

    having some strange issus with my internet access from opt-interfaces.

    Interfaces:

    192.168.0.2/24    WAN Interface Gateway: 192.168.0.1  (DSL Modem)
    10.0.10.1/24        Guest-Lan Interface

    DHCP Server on Guest-Interface running with no extra entry at DNS-Server or Gateway.
    Therefore all DNS queries have to be forwarded to the dns forwarder and the Gateway should be the one defined at System -> General. "192.168.0.1" and "8.8.8.8" with Gateway "192.168.0.1"

    Firewall Rules on Guest:

    Case1: Access only to the Wan net

    IPv4 TCP/UDP * * WAN net * * none
    Result: All DNS Queries are being blocked! No Internet access.

    Firewall log:
    Source 10.0.10.2:2061  to Destination  10.0.10.1:53 Protocol UDP
    @5 block drop in log inet all label "Default deny rule IPv4"
    Source 10.0.10.222:58686  to Destination  67.208.88.211:33000 Protocol TCP
    @5 block drop in log inet all label "Default deny rule IPv4"

    Case2: I set the rule Allow all

    IPv4 TCP/UDP * * * * * none
    Result: Full Internet Access. Full DNS Access to the interface IP Adress

    So. The Firewall even blocks access to the Guest-Lan-Interface (10.0.10.1). This is the default Gateway and DNS (Forwarder) IP.
    I thought, that PFSense does not block any access to ip adresses on the same subnet at all. I can ping some other clients on the same net successfully.

    The only rule that works is the Allow All-Rule.

    Any ideas?

    Peter






  • It's a firewall - it blocks everything and you have to allow what you want to allow. If you want clients to be able to send DNS requests to OPT1address port 53, then put a rule on OPT1:
    pass TCP+UDP source OPT1net destination OPT1address port 53 (DNS)

    To access the internet, you need to pass source OPT1net, destination "almost anywhere". Allowing just to WANnet will just let them try the webGUIof your ISP modem/router device. Real users probably want to also get to FaceBook, Google, Amazon…  ;)



  • Thanks for the answer.

    I already tried to unblock DNS. This surely works.
    pass TCP+UDP source OPT1net destination OPT1address port 53 (DNS)

    I wonder if the sense of the gateway is to handle this "allow all to ip adresses i dont know - public, facebook etc".
    So all tries to go to the internet will be send from example OP1 client over the default gateway (DSL Modem) out.

    By default all is blocked at my firewall and i want to selective add access to the internet to some ips or segments only. So i cannot use "Allow all" or "almost anywhere" and then block segments i do not want them to reach. This would be the opposite sense of the firewall. (Allow all, restrict when needed or known).
    Something like an alias for "Internet" would be nice to use with fw rules.

    Peter



  • Something like an alias for "Internet" would be nice to use with fw rules.

    You can make an alias called "Internet" and add whatever IP addresses and FQDNs you like, and make a rule to pass to destination "Internet". And yes, in the strict sense you are right, the theoretical firewall "should" just allow traffic to the particular places that are allowed (="white-listed"). But in practice users want to search for stuff and find answers on sites all over the place. So a strict white-list system is usually unworkable in practice.



  • Thats true. I then added a deny rule to all Opt-Interfaces, so they are not allowed to enter other Opt-Interfaces.
    Dont know if this way is ideal, cause it might happen that someone forgets to block one interface -  so all guests can enter that specific subnet. A continues check is necessary.

    A handy alias ip-range would be nice. Something like "grant access to all non private ip adresses". :-)



  • It has been mentioned before to have some built-in aliases. But it is easy enough to do that yourself. Make an Alias "RFC1918" or "PrivateIPv4". Put 192.168.0.0/16 10.0.0.0/8 172.16.0.0/12 in it. Then use that to block (or pass destination !RFC1918). That way when you add new local subnets in private space, rules are already in place.


Log in to reply