Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Resolver access lists : is at least one always needed?

    Scheduled Pinned Locked Moved General pfSense Questions
    6 Posts 3 Posters 1.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jmacdonald
      last edited by

      Hi. In the docs it says this:

      "When using specific interface bindings on the main tab, or when allowing queries across VPNs, Access Lists are needed to allow the clients to reach the DNS Resolver. Specific known-bad clients or networks could also be denied."

      I take this to mean "if you are binding to specific interfaces not "All" then you need access lists"

      However it appears you need to create access lists no matter what for it to respond. (If i don't create an access list i get REFUSED)

      Am I just reading something wrong?

      1 Reply Last reply Reply Quote 0
      • F
        fragged
        last edited by

        Local networks are added to allow list by default.

        1 Reply Last reply Reply Quote 0
        • J
          jmacdonald
          last edited by

          Well. That is what I would have assumed too except it refused any attempt I made from both WAN and LAN sides of the firewall.

          1 Reply Last reply Reply Quote 0
          • F
            fragged
            last edited by

            @jmacdonald:

            Well. That is what I would have assumed too except it refused any attempt I made from both WAN and LAN sides of the firewall.

            Have you messed around with the default rules on LAN? You obviously need to get through the firewall first before you can reach the DNS server. I haven't seen anyone else reporting problems with accessing the DNS resolver.

            1 Reply Last reply Reply Quote 0
            • J
              jmacdonald
              last edited by

              I made a windows VM that lives behind the firewall. That is where I do my testing from.  The firewall rules for the LAN interface look like this: https://i.imgur.com/Z2xyRlu.png which to me look like everything is open.

              This is a testing device and I don't mind sending a XML backup of it, or cooperating via some screen sharing etc. I can easily make this work for me but I wanted to understand if it was a PEBKAC or not.

              1 Reply Last reply Reply Quote 0
              • P
                ptankov
                last edited by

                @jmacdonald I have the exact same question and would love to see some comments on it. Thanks!
                Also, what is the rule to add in order to have "Allow All"? I tried 0.0.0.0/128 but that didn't work.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.