Difference between revisions of "Talk:PFSense and OPNsense"
(→website sources for valuable information: new section) |
(→communications error to 127.0.0.53 timed out: new section) |
||
(6 intermediate revisions by one user not shown) | |||
Line 1: | Line 1: | ||
− | == | + | == WAN interface == |
− | + | There is no such thing as traffic going to a LAN address | |
an undocumented shortcoming, the firewall cannot understand traffic going to an internal address. Instead the traffic goes to the public WAN IP | an undocumented shortcoming, the firewall cannot understand traffic going to an internal address. Instead the traffic goes to the public WAN IP | ||
Line 10: | Line 10: | ||
* http://www.derman.com/blogs/Setting-Up-Blocking-Firewall-Rules | * http://www.derman.com/blogs/Setting-Up-Blocking-Firewall-Rules | ||
+ | * https://doc.pfsense.org/index.php/Aliases | ||
+ | |||
+ | == Customize the Login Page == | ||
+ | |||
+ | Modify the following | ||
+ | vi /usr/local/etc/inc/authgui.inc | ||
+ | |||
+ | == hosts (www.facebook.com, www.tiktok.com , www.discord.com ) == | ||
+ | |||
+ | Some websites like digitalocean for example is actually behind cloudflares reverse proxy. If you have any website like this on your alias and it resolves cloudflares proxy IP. If these proxy IPs end up being blocked half of the internet will be broken for you. Plenty of sites use CDNs or have backend resources proxied by cloudflare. DNS based blockers are far better for your needs. | ||
+ | * https://old.reddit.com/r/PFSENSE/comments/12ifu1p/cant_get_a_simple_block_rule_to_work_for_all_the/ | ||
+ | |||
+ | The pfBlockerNG package (pfBlocker-NG Package) offers mechanisms which can be useful in this area, such as DNSBL, geographic IP address blocking, and automation of AS lookups. | ||
+ | * https://docs.netgate.com/pfsense/en/latest/recipes/block-websites.html | ||
+ | |||
+ | Selectively enforcing pfBlockerNG for specific clients or networks: filtering content for specific clients or networks in pfSense while keeping pfBlockerNG is not a simple task. If we wanted a simpler solution, we could’ve just added a Custom DNS server for our VLAN we wanted content filtered on. Unfortunately, doing this circumvents Unbound (DNS Resolver) and we lose the functionality of pfBlockerNG. To complicate matters more, Unbound does not allow you to specify different servers for the same lookup zone based on who’s querying the server. | ||
+ | * https://mitky.com/pfblockerng-pfsense-filter-specific-clients-computers-network/ | ||
+ | |||
+ | Zenarmor block websites on the pfSense software firewall and the importance of web filtering. | ||
+ | * https://www.zenarmor.com/docs/network-security-tutorials/how-to-block-websites-on-pfsense | ||
+ | |||
+ | The hosting platforms used by Discord is primarily Google Cloud Platform. | ||
+ | * https://www.netify.ai/resources/applications/discord | ||
+ | |||
+ | == Block Malicious IPs in pfSense at David's Homelab == | ||
+ | |||
+ | pfSense provides a package called pfBlockerNG which allows for advanced and dynamically updating blocking rules based on blocklists or GeoIP data. It also supports DNS blocking so can fully replace Pi-hole if you choose to enable this feature. | ||
+ | * https://davidshomelab.com/block-malicious-ips-in-pfsense/ | ||
+ | |||
+ | == communications error to 127.0.0.53 timed out == | ||
+ | |||
+ | communications error to 127.0.0.53 timed out | ||
+ | |||
+ | define a rule on LAN to allow a workstation to pass traffic to destination- the firewall itself. This allows DNS queries to go between the workstation and firewall when the firewall is the DNS server ubound. |
Latest revision as of 19:31, 3 February 2024
Contents
WAN interface
There is no such thing as traffic going to a LAN address
an undocumented shortcoming, the firewall cannot understand traffic going to an internal address. Instead the traffic goes to the public WAN IP
you can't apply firewall rules on the WAN: they don't work
website sources for valuable information
- http://www.derman.com/blogs/Setting-Up-Blocking-Firewall-Rules
- https://doc.pfsense.org/index.php/Aliases
Customize the Login Page
Modify the following
vi /usr/local/etc/inc/authgui.inc
hosts (www.facebook.com, www.tiktok.com , www.discord.com )
Some websites like digitalocean for example is actually behind cloudflares reverse proxy. If you have any website like this on your alias and it resolves cloudflares proxy IP. If these proxy IPs end up being blocked half of the internet will be broken for you. Plenty of sites use CDNs or have backend resources proxied by cloudflare. DNS based blockers are far better for your needs.
The pfBlockerNG package (pfBlocker-NG Package) offers mechanisms which can be useful in this area, such as DNSBL, geographic IP address blocking, and automation of AS lookups.
Selectively enforcing pfBlockerNG for specific clients or networks: filtering content for specific clients or networks in pfSense while keeping pfBlockerNG is not a simple task. If we wanted a simpler solution, we could’ve just added a Custom DNS server for our VLAN we wanted content filtered on. Unfortunately, doing this circumvents Unbound (DNS Resolver) and we lose the functionality of pfBlockerNG. To complicate matters more, Unbound does not allow you to specify different servers for the same lookup zone based on who’s querying the server.
Zenarmor block websites on the pfSense software firewall and the importance of web filtering.
The hosting platforms used by Discord is primarily Google Cloud Platform.
Block Malicious IPs in pfSense at David's Homelab
pfSense provides a package called pfBlockerNG which allows for advanced and dynamically updating blocking rules based on blocklists or GeoIP data. It also supports DNS blocking so can fully replace Pi-hole if you choose to enable this feature.
communications error to 127.0.0.53 timed out
communications error to 127.0.0.53 timed out
define a rule on LAN to allow a workstation to pass traffic to destination- the firewall itself. This allows DNS queries to go between the workstation and firewall when the firewall is the DNS server ubound.