Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Default DNS Queries blocked. Just allow all rule working

    Scheduled Pinned Locked Moved Firewalling
    6 Posts 2 Posters 2.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      peer_g
      last edited by

      Hi,

      having some strange issus with my internet access from opt-interfaces.

      Interfaces:

      192.168.0.2/24    WAN Interface Gateway: 192.168.0.1  (DSL Modem)
      10.0.10.1/24        Guest-Lan Interface

      DHCP Server on Guest-Interface running with no extra entry at DNS-Server or Gateway.
      Therefore all DNS queries have to be forwarded to the dns forwarder and the Gateway should be the one defined at System -> General. "192.168.0.1" and "8.8.8.8" with Gateway "192.168.0.1"

      Firewall Rules on Guest:

      Case1: Access only to the Wan net

      IPv4 TCP/UDP * * WAN net * * none
      Result: All DNS Queries are being blocked! No Internet access.

      Firewall log:
      Source 10.0.10.2:2061  to Destination  10.0.10.1:53 Protocol UDP
      @5 block drop in log inet all label "Default deny rule IPv4"
      Source 10.0.10.222:58686  to Destination  67.208.88.211:33000 Protocol TCP
      @5 block drop in log inet all label "Default deny rule IPv4"

      Case2: I set the rule Allow all

      IPv4 TCP/UDP * * * * * none
      Result: Full Internet Access. Full DNS Access to the interface IP Adress

      So. The Firewall even blocks access to the Guest-Lan-Interface (10.0.10.1). This is the default Gateway and DNS (Forwarder) IP.
      I thought, that PFSense does not block any access to ip adresses on the same subnet at all. I can ping some other clients on the same net successfully.

      The only rule that works is the Allow All-Rule.

      Any ideas?

      Peter

      x.JPG
      x.JPG_thumb
      x1.JPG
      x1.JPG_thumb

      1 Reply Last reply Reply Quote 0
      • P
        phil.davis
        last edited by

        It's a firewall - it blocks everything and you have to allow what you want to allow. If you want clients to be able to send DNS requests to OPT1address port 53, then put a rule on OPT1:
        pass TCP+UDP source OPT1net destination OPT1address port 53 (DNS)

        To access the internet, you need to pass source OPT1net, destination "almost anywhere". Allowing just to WANnet will just let them try the webGUIof your ISP modem/router device. Real users probably want to also get to FaceBook, Google, Amazon…  ;)

        As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
        If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

        1 Reply Last reply Reply Quote 0
        • P
          peer_g
          last edited by

          Thanks for the answer.

          I already tried to unblock DNS. This surely works.
          pass TCP+UDP source OPT1net destination OPT1address port 53 (DNS)

          I wonder if the sense of the gateway is to handle this "allow all to ip adresses i dont know - public, facebook etc".
          So all tries to go to the internet will be send from example OP1 client over the default gateway (DSL Modem) out.

          By default all is blocked at my firewall and i want to selective add access to the internet to some ips or segments only. So i cannot use "Allow all" or "almost anywhere" and then block segments i do not want them to reach. This would be the opposite sense of the firewall. (Allow all, restrict when needed or known).
          Something like an alias for "Internet" would be nice to use with fw rules.

          Peter

          1 Reply Last reply Reply Quote 0
          • P
            phil.davis
            last edited by

            Something like an alias for "Internet" would be nice to use with fw rules.

            You can make an alias called "Internet" and add whatever IP addresses and FQDNs you like, and make a rule to pass to destination "Internet". And yes, in the strict sense you are right, the theoretical firewall "should" just allow traffic to the particular places that are allowed (="white-listed"). But in practice users want to search for stuff and find answers on sites all over the place. So a strict white-list system is usually unworkable in practice.

            As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
            If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

            1 Reply Last reply Reply Quote 0
            • P
              peer_g
              last edited by

              Thats true. I then added a deny rule to all Opt-Interfaces, so they are not allowed to enter other Opt-Interfaces.
              Dont know if this way is ideal, cause it might happen that someone forgets to block one interface -  so all guests can enter that specific subnet. A continues check is necessary.

              A handy alias ip-range would be nice. Something like "grant access to all non private ip adresses". :-)

              1 Reply Last reply Reply Quote 0
              • P
                phil.davis
                last edited by

                It has been mentioned before to have some built-in aliases. But it is easy enough to do that yourself. Make an Alias "RFC1918" or "PrivateIPv4". Put 192.168.0.0/16 10.0.0.0/8 172.16.0.0/12 in it. Then use that to block (or pass destination !RFC1918). That way when you add new local subnets in private space, rules are already in place.

                As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
                If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.