Single wan gateway but DNS filtering per LANs ( or IPs ) like in 2 gateway ?



  • Hi,

    I try to do a filtering using DNS filter & pfblockerNG DNSBL ( no more SquidGuard ).

    • OpenDNS will do filtering for parental control.
    • GoogleDNS will skip parental control.
    • pfblocker DNSBL will do filtering for Adverts, Tracking… for all DNS request.

    I have one WAN gateway and 4 LAN's.

    I want that some LANs ( or IPs ) to use OpenDNS servers and others LANs ( or IPs ) to use GoogleDNS or similar servers.
    Something like having 2 wan gateways with different DNS servers so I can force traffic from a LAN or IP to use DNS from specific gateway, but I don't think is possible to do something like a "virtual gateway" to achieve this setup.

    I can't use DNS overwrite in DHCP server or static ARP other than LAN IP interface as DNS; because if DNS is not handled by pfsense it will escape from pfbDNSBL filtering... this is the problem I am facing now, clients that use GoogleDNS escape from pfbDNSBL filter.

    Clients from LANs will have get DNS server only from pfsense ( LAN IP interface ) and all attempt to use another DNS server will be redirected to DNS servers assigned to that interface. ( this part is well described in pfsense DNS redirect tutorials ).

    any idea if this can be done and how ?

    thank you


  • LAYER 8 Netgate

    I do this by setting up DNS forwarder to listen just on Localhost port 8053.

    I set the forwarder to use OpenDNS as its servers.

    I then place a port forward on the controlled LAN (OPT2) that redirects all traffic for OPT2 address TCP/UDP 53 to 127.0.0.1 8053.

    Naturally, you have to block all TCP/UDP/53 other than to OPT2 address.

    Everyone else just uses DNS Resolver normally.

    Don't use pfblockerng so this might not help you at all.



  • Hi,

    thank you for answer,

    I can try this with your help but please let me know where I can set the DNS servers to be used by forwarder because I can't see it yet.

    Thank you

    ![2015-11-15 01.34.07.jpg](/public/imported_attachments/1/2015-11-15 01.34.07.jpg)
    ![2015-11-15 01.34.07.jpg_thumb](/public/imported_attachments/1/2015-11-15 01.34.07.jpg_thumb)
    ![2015-11-15 01.34.14.jpg](/public/imported_attachments/1/2015-11-15 01.34.14.jpg)
    ![2015-11-15 01.34.14.jpg_thumb](/public/imported_attachments/1/2015-11-15 01.34.14.jpg_thumb)
    ![2015-11-15 01.36.47.jpg](/public/imported_attachments/1/2015-11-15 01.36.47.jpg)
    ![2015-11-15 01.36.47.jpg_thumb](/public/imported_attachments/1/2015-11-15 01.36.47.jpg_thumb)


  • LAYER 8 Netgate

    Sorry.  I have this in the Advanced section:

    no-resolv
    strict-order
    server=208.67.222.222
    server=208.67.220.220



  • Thank you very much for your help.

    I set Forwarder according to your indications and this config with Forwarder using one DNS server and Resolver another DNS servers it is working ok for multi DNS - content filtering.
    I will stick with this configuration because it is easy to maintain and can be apply also to DNS per IP not only to LAN, using redirecting in NAT - Port Porward based on IP Source address.

    Unfortunately with this setup Forwarder still escape from pfbDNSBL filter.



  • Now I understand why pfBlockerNG can't work with Forwarder to filter DNS.

    pfBlockerNG is using Unbound which have function Dnsspoof to do DNS filtering.

    https://calomel.org/unbound_dns.html


Log in to reply