IP specific DNS for ADSL->pfSense->WiFi setup…
-
Dear All,
I am new to pfSense and networking, request your guidance on the below issue.
I have the following setup at my home:
ADSL (service provider)->pfSense (firewall, antivirus and snort on pcengines APU)->WiFi (Asus RT-N66u)- All devices (WiFi & eth) are connected to my WiFi router, have an 8 port switch to extend eth connections (NAS, TV, AMP, Media Player, DVR etc.)
- WiFi assigns IP address to ALL devices (WiFi and eth)
- My WiFi has the capability for DNS Filtering (ip/MAC based) where i can assign custom DNS for a device
- I basically use a combination of Norton Safe, Family and Children as my DNS
- After connecting pfSense, DNS is getting over written with my ISP DNS which is generic (without content filtering)
Request your help to:
- Disable pfSense DNS so that WiFi DNS is used as it was earlier OR
- Replicate DNS Filtering that is currently there on WiFi on to pfSense as well
Is changing the router to AP mode the only option? Appreciate your guidance on the above issue…
Regards.
-
I suspect you have DHCP enabled on pfSense and on WiFi. So sometimes devices are getting DHCP from pfSense, which will default to giving them DNS through pfSense also.
You could disable pfSense DHCP - Services->DHCP Server, LAN tab, uncheck "Enable". That is probably reasonable if you are happy with the options your WiFi device gives for DHCP.
Personally, I would use the DHCP on pfSense, and disable it on the WiFi device.
On pfSense, you allocate a pool of addresses for general DHCP. Then for devices you want to be special, first connect them to the network, then go to Status->DHCP Leases, find the device in the list, click the plus button to allocate a static-mapped address. Give each special device an IP address outside the pool. Specify the DNS server IP addresses you want to give that device, Save.
That should do similar to your WiFi.
If you want to control it a bit more, you can also add rules on LAN that only pass DNS from (source) the IP of each particular device to (destination) the DNS server/s that device should be using. Then block all other DNS from the special devices (or from the whole LAN). That will make it 1 step more difficult for a device user to get around the settings. -
Dear Phil,
Many thanks for your email and apologies for the delayed reply.
As suggested by you, I have converted my Asus RT-N66u to an AP and registered few of the clients with static IP. When the clients are booting up, they are getting the IP as well as the DNS from pfSense DHCP server (disabled the DNS forwarder). It is working as desired now…
However I am not sure if I have understood the final solution suggested by you ("If you want to control it a bit more..."). Following is what i understand, please correct me if I am wrong:
- Add rules for ip: 192.168.2.6 where destination port is 53 to be routed to Norton_ChildSafe_DNS_IP
Where 192.168.2.6 is my kid's tablet static ip.
In the above scenario, I am not sure how to force the DNS discovery packets to Norton_ChildSafe_DNS_IP? Request you to please guide me on this...
Many thanx for your help and guidance, appreciate it.
Regards.
- Add rules for ip: 192.168.2.6 where destination port is 53 to be routed to Norton_ChildSafe_DNS_IP
-
In the static-mapped DHCP entry for Kid-tablet 192.168.2.6 you will have put DNS as Norton_ChildSafe_DNS_IP. So the tablet should have that DNS address and use it fine.
You do not want any DNS requests from that tablet 192.168.2.6 to go to any other DNS server. (e.g. if KId1, KId2 etc learn how to mess with their tablet and choose another DNS server)
I would do something like:-
Add an Alias "ChildsafeDevices" - put the IP addresses of all the kids devices that should be using Norton_ChildSafe_DNS.
-
Add an alias "Norton_ChildSafe_DNS" and put in the the Norton_ChildSafe_DNS_IP(s)
-
On LAN put a rule at the top after the anti-lockout rule:
pass protocol TCP/UDP source ChildsafeDevices port any destination Norton_ChildSafe_DNS port DNS (53) -
After that rule on LAN, put another rule:
block protocol TCP/UDP source ChildsafeDevices port any destination any port DNS (53)
That will allow ChildsafeDevices to access only Norton_ChildSafe_DNS and no other DNS server.
This stuff can be worked around - e.g. if the kids change the IP address on their tablet and set a fixed one instead of taking DHCP, then they avoid the rule. When you discover they are playing tricks like that, then you have to make a separate KidsWiFi interface, with separate subnet, and DNS for that whole subnet locked to Norton_ChildSafe_DNS.
-
-
Thank you very much for the inputs, appreciate it.
Regards.