Re: [pfSense] block DNS queries to external resolvers rule

Sat, 30 Sep 2017 17:59:50 -0700 

> On Sep 30, 2017, at 5:38 PM, Antonio <antoniogennar...@gmail.com> wrote:
> 
> Hi,
> 
> I tried to add the "block DNS queries to external resolvers" as
> described here
> (https://doc.pfsense.org/index.php/Blocking_DNS_queries_to_external_resolvers
> ) to my LAN config and noticed that traffic would not go anywhere on the
> LAN until I disabled the the two rule below on port 53. With rules 1,4,5
> below, all works well. When I switch on 2 and 3 too, browser stops
> working and all traffic on LAN goes nowhere. Why would this be?


Because your clients aren’t configured to use “LAN Address” as their DNS server?

> 
> Thanks
> 
> 
> 
>       Protocol        Source  Port    Destination     Port    Gateway         
> Queue   Schedule
> Description   Actions
> 1
>       
>       1 /3.61 MiB <https://192.168.2.1/diag_dump_states.php?ruleid=80,81>
>       *       *       *       LAN Address     443
> 80    *       *       
>       Anti-Lockout Rule       
> 2
>       <https://192.168.2.1/firewall_rules.php?if=lan&act=toggle&id=2>
>       0 /0 B <https://192.168.2.1/diag_dump_states.php?ruleid=84,85>
>       IPv4+6 TCP/UDP  *       *       LAN address     53 (DNS)        *       
> none            Allow DNS to
> pfSense/DNSMASQ/OpenDNS       
> 3
>       <https://192.168.2.1/firewall_rules.php?if=lan&act=toggle&id=3>
>       0 /21 KiB <https://192.168.2.1/diag_dump_states.php?ruleid=86,87,88,89>
>       IPv4+6 TCP/UDP  *       *       *       53 (DNS)        *       none    
>         Block DNS to everything
> else  
> 4
>       <https://192.168.2.1/firewall_rules.php?if=lan&act=toggle&id=4>
>       1 /44.34 MiB <https://192.168.2.1/diag_dump_states.php?ruleid=90>
>       IPv4 *  LAN net         *       *       *       *       none            
> Default allow LAN to any rule   
> 5
>       <https://192.168.2.1/firewall_rules.php?if=lan&act=toggle&id=5>
>       0 /0 B <https://192.168.2.1/diag_dump_states.php?ruleid=>
>       IPv6 *  LAN net         *       *       *       *       none            
> Default allow LAN IPv6 to any rule      
> 
> -- 
> 
> Respect your privacy and that of others, don't give your data to big 
> corporations.
> Use alternatives like Signal (https://whispersystems.org/) for your messaging 
> or 
> Diaspora* (https://joindiaspora.com/) for your social networking.
> 
> _______________________________________________
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold

_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Reply via email to