Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Single wan gateway but DNS filtering per LANs ( or IPs ) like in 2 gateway ?

    Scheduled Pinned Locked Moved DHCP and DNS
    6 Posts 2 Posters 2.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      n3by
      last edited by

      Hi,

      I try to do a filtering using DNS filter & pfblockerNG DNSBL ( no more SquidGuard ).

      • OpenDNS will do filtering for parental control.
      • GoogleDNS will skip parental control.
      • pfblocker DNSBL will do filtering for Adverts, Tracking… for all DNS request.

      I have one WAN gateway and 4 LAN's.

      I want that some LANs ( or IPs ) to use OpenDNS servers and others LANs ( or IPs ) to use GoogleDNS or similar servers.
      Something like having 2 wan gateways with different DNS servers so I can force traffic from a LAN or IP to use DNS from specific gateway, but I don't think is possible to do something like a "virtual gateway" to achieve this setup.

      I can't use DNS overwrite in DHCP server or static ARP other than LAN IP interface as DNS; because if DNS is not handled by pfsense it will escape from pfbDNSBL filtering... this is the problem I am facing now, clients that use GoogleDNS escape from pfbDNSBL filter.

      Clients from LANs will have get DNS server only from pfsense ( LAN IP interface ) and all attempt to use another DNS server will be redirected to DNS servers assigned to that interface. ( this part is well described in pfsense DNS redirect tutorials ).

      any idea if this can be done and how ?

      thank you
      DNS.jpg
      DNS.jpg_thumb

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        I do this by setting up DNS forwarder to listen just on Localhost port 8053.

        I set the forwarder to use OpenDNS as its servers.

        I then place a port forward on the controlled LAN (OPT2) that redirects all traffic for OPT2 address TCP/UDP 53 to 127.0.0.1 8053.

        Naturally, you have to block all TCP/UDP/53 other than to OPT2 address.

        Everyone else just uses DNS Resolver normally.

        Don't use pfblockerng so this might not help you at all.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • N
          n3by
          last edited by

          Hi,

          thank you for answer,

          I can try this with your help but please let me know where I can set the DNS servers to be used by forwarder because I can't see it yet.

          Thank you

          ![2015-11-15 01.34.07.jpg](/public/imported_attachments/1/2015-11-15 01.34.07.jpg)
          ![2015-11-15 01.34.07.jpg_thumb](/public/imported_attachments/1/2015-11-15 01.34.07.jpg_thumb)
          ![2015-11-15 01.34.14.jpg](/public/imported_attachments/1/2015-11-15 01.34.14.jpg)
          ![2015-11-15 01.34.14.jpg_thumb](/public/imported_attachments/1/2015-11-15 01.34.14.jpg_thumb)
          ![2015-11-15 01.36.47.jpg](/public/imported_attachments/1/2015-11-15 01.36.47.jpg)
          ![2015-11-15 01.36.47.jpg_thumb](/public/imported_attachments/1/2015-11-15 01.36.47.jpg_thumb)

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            Sorry.  I have this in the Advanced section:

            no-resolv
            strict-order
            server=208.67.222.222
            server=208.67.220.220

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • N
              n3by
              last edited by

              Thank you very much for your help.

              I set Forwarder according to your indications and this config with Forwarder using one DNS server and Resolver another DNS servers it is working ok for multi DNS - content filtering.
              I will stick with this configuration because it is easy to maintain and can be apply also to DNS per IP not only to LAN, using redirecting in NAT - Port Porward based on IP Source address.

              Unfortunately with this setup Forwarder still escape from pfbDNSBL filter.

              1 Reply Last reply Reply Quote 0
              • N
                n3by
                last edited by

                Now I understand why pfBlockerNG can't work with Forwarder to filter DNS.

                pfBlockerNG is using Unbound which have function Dnsspoof to do DNS filtering.

                https://calomel.org/unbound_dns.html

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.