Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Single wan gateway but DNS filtering per LANs ( or IPs ) like in 2 gateway ?

    DHCP and DNS
    2
    6
    2251
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      n3by last edited by

      Hi,

      I try to do a filtering using DNS filter & pfblockerNG DNSBL ( no more SquidGuard ).

      • OpenDNS will do filtering for parental control.
      • GoogleDNS will skip parental control.
      • pfblocker DNSBL will do filtering for Adverts, Tracking… for all DNS request.

      I have one WAN gateway and 4 LAN's.

      I want that some LANs ( or IPs ) to use OpenDNS servers and others LANs ( or IPs ) to use GoogleDNS or similar servers.
      Something like having 2 wan gateways with different DNS servers so I can force traffic from a LAN or IP to use DNS from specific gateway, but I don't think is possible to do something like a "virtual gateway" to achieve this setup.

      I can't use DNS overwrite in DHCP server or static ARP other than LAN IP interface as DNS; because if DNS is not handled by pfsense it will escape from pfbDNSBL filtering... this is the problem I am facing now, clients that use GoogleDNS escape from pfbDNSBL filter.

      Clients from LANs will have get DNS server only from pfsense ( LAN IP interface ) and all attempt to use another DNS server will be redirected to DNS servers assigned to that interface. ( this part is well described in pfsense DNS redirect tutorials ).

      any idea if this can be done and how ?

      thank you

      1 Reply Last reply Reply Quote 0
      • Derelict
        Derelict LAYER 8 Netgate last edited by

        I do this by setting up DNS forwarder to listen just on Localhost port 8053.

        I set the forwarder to use OpenDNS as its servers.

        I then place a port forward on the controlled LAN (OPT2) that redirects all traffic for OPT2 address TCP/UDP 53 to 127.0.0.1 8053.

        Naturally, you have to block all TCP/UDP/53 other than to OPT2 address.

        Everyone else just uses DNS Resolver normally.

        Don't use pfblockerng so this might not help you at all.

        Chattanooga, Tennessee, USA
        The pfSense Book is free of charge!
        DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • N
          n3by last edited by

          Hi,

          thank you for answer,

          I can try this with your help but please let me know where I can set the DNS servers to be used by forwarder because I can't see it yet.

          Thank you

          ![2015-11-15 01.34.07.jpg](/public/imported_attachments/1/2015-11-15 01.34.07.jpg)
          ![2015-11-15 01.34.07.jpg_thumb](/public/imported_attachments/1/2015-11-15 01.34.07.jpg_thumb)
          ![2015-11-15 01.34.14.jpg](/public/imported_attachments/1/2015-11-15 01.34.14.jpg)
          ![2015-11-15 01.34.14.jpg_thumb](/public/imported_attachments/1/2015-11-15 01.34.14.jpg_thumb)
          ![2015-11-15 01.36.47.jpg](/public/imported_attachments/1/2015-11-15 01.36.47.jpg)
          ![2015-11-15 01.36.47.jpg_thumb](/public/imported_attachments/1/2015-11-15 01.36.47.jpg_thumb)

          1 Reply Last reply Reply Quote 0
          • Derelict
            Derelict LAYER 8 Netgate last edited by

            Sorry.  I have this in the Advanced section:

            no-resolv
            strict-order
            server=208.67.222.222
            server=208.67.220.220

            Chattanooga, Tennessee, USA
            The pfSense Book is free of charge!
            DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • N
              n3by last edited by

              Thank you very much for your help.

              I set Forwarder according to your indications and this config with Forwarder using one DNS server and Resolver another DNS servers it is working ok for multi DNS - content filtering.
              I will stick with this configuration because it is easy to maintain and can be apply also to DNS per IP not only to LAN, using redirecting in NAT - Port Porward based on IP Source address.

              Unfortunately with this setup Forwarder still escape from pfbDNSBL filter.

              1 Reply Last reply Reply Quote 0
              • N
                n3by last edited by

                Now I understand why pfBlockerNG can't work with Forwarder to filter DNS.

                pfBlockerNG is using Unbound which have function Dnsspoof to do DNS filtering.

                https://calomel.org/unbound_dns.html

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post