Opendns+pfsense (web-filtering)



  • hi there, i have implemented opendns with my pfsens in my office but the problem is that any geek can just change the dns address of the machine and can surf the internet without any barriers.

    all i want is that to force all my pfsense dhcp clients to have opendns ip and if they change the dns ip then no internet should run in their computer.

    thank you


  • Banned



  • still no any progress.

    I created the firewall rule but after that I was unable to surf the internet in any of my pfsense dhcp clients.

    plz help me…

    ![Screenshot from 2015-06-16 15:50:17.png](/public/imported_attachments/1/Screenshot from 2015-06-16 15:50:17.png)
    ![Screenshot from 2015-06-16 15:50:17.png_thumb](/public/imported_attachments/1/Screenshot from 2015-06-16 15:50:17.png_thumb)


  • Banned

    Because you need to point your clients to your pfSense LAN IP as DNS server. And point the DNS server on your pfSense to forward the queries to OpenDNS. And if that's not what you want to do, you'll need to mix and match those two articles a bit more creatively and learn something.



  • i created the nat rule too but also my pfsense dhcp clients are unable to connect to internet.

    ![Screenshot from 2015-06-16 16:08:55.png](/public/imported_attachments/1/Screenshot from 2015-06-16 16:08:55.png)
    ![Screenshot from 2015-06-16 16:08:55.png_thumb](/public/imported_attachments/1/Screenshot from 2015-06-16 16:08:55.png_thumb)


  • Banned

    It the previous screenshot is your entire ruleset on LAN, then they will never be able to connect to Internet. Since you nuked the default allow rule for unknown reason.



  • thankx for the answer but please guide me how to sort out this problem.

    what are the steps i have to carry out to accomplish this task.

    shall i have to delete the firewall lan rule or what i have to do??


  • Banned

    No, you need to put the default allow rule back below those DNS rules to allow outgoing traffic!



  • is this the correct order??

    please give specific answer or guide i am new to pfsense router.

    ![Screenshot from 2015-06-16 16:34:27.png](/public/imported_attachments/1/Screenshot from 2015-06-16 16:34:27.png)
    ![Screenshot from 2015-06-16 16:34:27.png_thumb](/public/imported_attachments/1/Screenshot from 2015-06-16 16:34:27.png_thumb)


  • Banned

    No. Now you've blocked all DNS. No idea why you felt the need to shuffle with those DNS rules. You also pretty much want "any", not "TCP/UDP" on the last rule. Otherwise, ping won't work a bunch of other things won't work either.



  • so shall i move the block rule to the last or what?

    can you please guide the steps??? It would be great.


  • Banned

    @doktornotor:

    No, you need to put the default allow rule back below those DNS rules to allow outgoing traffic!

    Not really sure what more to say.

    In general, read the fine docs. Managing firewalls without basic understanding of how it works is dangerous.

    https://doc.pfsense.org/index.php/Firewall_Rule_Basics
    https://doc.pfsense.org/index.php/Firewall_Rule_Processing_Order
    https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting



  • my scenerio is that i want pfsense dhcp client to use only opendns ip and if they change the other dns address in their machine then i want no internet in their machine.

    that's the desire i want.

    so what has to be done?


  • Banned

    Yeah, and you have all the needed answers above.



  • so what has to be done?

    You have to follow the instructions you have been given.

    #1.  Read this https://doc.pfsense.org/index.php/Blocking_DNS_queries_to_external_resolvers and then make your LAN rules look like that.
    #2.  Read this https://doc.pfsense.org/index.php/Redirecting_all_DNS_Requests_to_pfSense and then add that NAT rule.

    Dok spelled it all out for you.  The docs are clear.  What else do you need???


  • Banned

    If reading hurts too much: there are only 3! permutations of those 3 rules and only one does what you want.  :P



  • THANK YOU!!! FINALLY I DID IT…IT WAS ALL YOUR HELP

    ...PEACE



  • I am now able to block the use of third party dns severs in my network and if any one change their dns ip then they will be forced to redirect to my firewall lan ip which works charm.

    But now I want specific ip addresses to exclude that firewall rule and make them to use internet using any public dns servers.

    Is that possible, if possible then please guide me…

    Thank You


  • Banned

    Create an alias for excluded IPs.
    Use the alias negated (NOT) as source in the NAT rule.
    Use the alias negated (NOT) as source in the block rule.



  • Just trying to get some more help with setting up OpenDNS on my pfSense router/firewall. Dok here has tried a bit though I haven't gotten any further than I previously posted about in this thread https://forum.pfsense.org/index.php?topic=94912.

    I restarted the pfSense box and my computer, but OpenDNS claims I'm still not using their DNS servers. I turned on logging for the firewall rules that allow IPv4 + 6 DNS traffic to LAN Address and also the NAT-auto generated allow DNS traffic to 127.0.0.1 and then tried browsing sites and checking my OpenDNS setup on their website and saw the logs go up in the firewall log. How is it possible that I'm not using the OpenDNS servers setup in my System > General section? I even tried manually setting the OpenDNS IPv4 & IPv6 DNS servers in my Windows network adapter properties and still saw the DNS firewall logs populate, but OpenDNS still says I'm not using their servers.

    In case it's relevant, my DNS Resolver settings are the following:


  • Banned

    @MarkVLK:

    How is it possible that I'm not using the OpenDNS servers setup in my System > General section?

    Because that's NOT setting for clients, as already noted on your own thread. Posting across another 10 threads won't exactly help.

    Also, DNS resolver will NOT use any of those unless forwarding is actually enabled.



  • @doktornotor:

    @MarkVLK:

    How is it possible that I'm not using the OpenDNS servers setup in my System > General section?

    Because that's NOT setting for clients, as already noted on your own thread. Posting across another 10 threads won't exactly help.

    Also, DNS resolver will NOT use any of those unless forwarding is actually enabled.

    I noted in the other thread that the clients (or at least the PC I'm currently testing on) have the pfSense box's IPv4 & IPv6 LAN addresses listed as their DNS servers. Since the client has the pfSense box listed as its DNS server (and I've confirmed with Wireshark that DNS requests are indeed going from 192.168.1.x -> 192.168.1.1) and the pfSense box is set up to use OpenDNS as its DNS servers, what else is there for me to change?

    As far as forwarding being enabled, the pfSense DNS Resolver docs (https://doc.pfsense.org/index.php/Unbound_DNS_Resolver) say "Unbound (aka DNS Resolver) requires that the DNS Forwarder be disabled or be moved to a different port" so I assumed I was just supposed to keep it disabled as it was by defauled.

    The pfSense DNS Forwarder docs (https://doc.pfsense.org/index.php/DNS_Forwarder) say that "If the DNS forwarder is enabled, the internal interface IP for pfSense will be handed out to DHCP clients as a DNS server. If the DNS forwarder is disabled, the DNS servers configured on pfSense will be handed out instead." My DNS Forwarder is disabled, yet the internal interface IP for pfSense (192.168.1.1 & the IPv6 address for LAN) is being handed out to DHCP clients as the DNS server still.


  • Banned

    As I already noted above, DNS resolver will not forward anything anywhere by default; it's recursive DNS server. Kindly look at the GUI and tick the proper checkbox if you want unbound to forward your queries.



  • @doktornotor:

    As I already noted above, DNS resolver will not forward anything anywhere by default; it's recursive DNS server. Kindly look at the GUI and tick the proper checkbox if you want unbound to forward your queries.

    Apologies, I was thinking you meant the DNS Forwarder needed to be enabled. You mean to just check off the Enable Forwarding Mode under the DNS Query Forwarding section of the DNS Resolver?

    UPDATE: When I enabled forwarding mode in the DNS Resolver settings, all of my DNS queries started failing and I could no longer browse the internet.

    UPDATE 2: I tried testing the OpenDNS connection on their website from my phone and low and behold, it works. I assume the issue was with the fact that the PC I was testing on has a static IP assignment in the DHCP Server on the pfSense box.