pfSense Part 3: Controlling Routes | Level One Techs

Whizdumb · April 30, 2017, 4:42am

Do these 2 statements contradict themselves? What am I missing?

You only need to make block (or deny) rules if there is an allow rule bellow it which would match the traffic.

The rule that matches first takes effect and all other rules are ignored.

Dexter_Kane · April 30, 2017, 4:46am

The rule that matches first takes effect, and the rules are read top to bottom. But there is an invisible block all rule at the bottom, which is the default action. So you don't need to make a block rule bellow an allow rule because there's already one there but you do need a block rule above an allow rule if you wanted to block some part of what the allow rule is allowing.

Whizdumb · April 30, 2017, 4:58am

Ok so I think I get it now. That was a bit to wrap my head around but I definitely feel like I learned something about the fundamental workings of firewall rules and networking there. Thanks for the clarification.

Dexter_Kane · April 30, 2017, 4:59am

No worries, it took me ages to get my head around it

caprica · April 30, 2017, 6:25am

Technically there is also UDP ping

(regarding the statement that ping is ICMP in the video)

Jacobq11 · April 30, 2017, 6:35am

I'm having the same issue...

eexodus · April 30, 2017, 7:07am

Can anyone verify the Netflix rule they talk about in the video actually works? I implemented it into my router, but it is not working.

mihawk90 · April 30, 2017, 8:19am

This may or may not vary by region too... What region are you? Regarding netflix that is.

Tim_FreeD · April 30, 2017, 1:08pm

@Dexter_Kane How would you approach/troubleshoot with pfSense -- for example if you want CS:GO to run over WAN? What tools and methods in the firewall do you use to find blocked or wrong routed traffic?

comfreak · April 30, 2017, 1:08pm

Yes and you could use netcat or telnet to test TCP:

$ telnet www.example.com 80

Sea_Monkey · April 30, 2017, 4:04pm

When I set up block rules for MS telemetry quite a while ago, I followed a guide that also specified adding an alias and pass rule to ensure that Windows updates weren't being blocked. Here are the addresses specified:

download.windowsupdate.com
update.microsoft.com
sls.update.microsoft.com.akadns.net
vortex.data.microsoft.com
vortex-win.data.microsoft.com
fe2.update.microsoft.com.akadns.net
statsfe2.update.microsoft.com.akadns.net

mihawk90 · April 30, 2017, 4:57pm

Idk, if MS were smart they would just use their Update Domains for the Telemetry stuff and people couldn't block it independantly...

MS if you're reading this, I do take credit transfers...

(although they are probably doing that already)

Sea_Monkey · April 30, 2017, 5:32pm

Yeah, I assume that they probably do, and that blocking telemetry entirely is the not-so-simple matter of ditching Windows entirely, but I figure there's no harm in trying.

mzarrugh · April 30, 2017, 5:42pm

Could you you help me out with setting up squid in Debian with pfSense as a firewall.

Squid Transparent Proxy in Linux + pfSense Firewall (Help) Networking Software

Hey there, Here's my setup: Proxmox Server containing: pfSense KVM (Firewall + NAT) working fine as is no issue on that. Debian LXC (squid for caching) I don't want to use squid within pfSense because pfSense has a limitaion where squid can't work with gateway groups (which are fundamental for my setup). I created a network interface in pfSense called SQUID that has an IP address of 192.168.5.1/30 which runs on its own vlan VLAN3. The squid LXC in proxmox has a network adapter on VLAN3 with IP address 192.168.5.2/30 and gateway 192.168.5.1 I created a firewall rule on SQUID interface which allows SQUID_net to any through my specified gateway group. I created a firewall rule on LAN interface which allows LAN_net to SQUID_net. Everything is cool so far. squid has internet access. LAN has access to squid Now in my squid LXC vm: sudo apt update && sudo apt install squid3 I edited /etc/squid3/squid.conf Changed #http_access deny all to http_access allow all Changed http_port 3128 to http_port 3128 transparent sudo service squid3 restart In pfSense: In NAT portforwarding I added this: Interface: LAN Source: LAN_net Source port: any Destination: any Destiation port: 80 Redirect IP: 192.168.5.2 (squid) Redirect port: 3128 Right now I expect that http requests from my LAN clients (192.168.3.0/24) should be redirected to squid (192.168.5.2) on squid's port (3128). However, what I get when I try to access http websites on my LAN is an error message in chrome "ERR_EMPTY_RESPONSE". It is confirmed that pfSense is doing what it's supposed to do in forwarding the ports. The only issue as I see it is a miss-configuration on squid's side. Any help is highly appreciated.

eexodus · April 30, 2017, 7:34pm

My VPN is going from USA > Toronto via PIA. But that shouldn't matter because the 3rd LAN rule should catch Netflix destination traffic and route it out my ISP WAN.

mihawk90 · April 30, 2017, 9:06pm

Yeah, but that isn't working for you, or did I misunderstand that. I meant that it might be different domains for different regions. Guess in NA it should be the same though... mh

Dexter_Kane · April 30, 2017, 10:06pm

If you can't find the ports by googling then what I'd do is make the rules with the ports you do know and create a block all rule under that (make sure you enable logging on the block rule). Then run the game and look at the firewall log in pfsense, look for traffic from the machine running the game and add the destination ports from the blocked traffic to the rule until the game works.

But if you have a game that needs port 443 or some other shared port there is no way for pfsense to tell which application the traffic is coming from. So the only thing you can do is either manually enable and disable the rule as needed or set up a proxy server that uses the VPN and manually set the browser to use that. That way Web traffic from t he browser goes to the proxy server and then over the VPN and any other traffic will go over the wan.

You could use squid on pfsense for this but it lacks any options for setting a gateway, it just uses the default gateway. So if the VPN is the default gateway then it will work other wise it won't. One thing to keep in mind about using the VPN as the default gateway is that if the VPN goes down then it will automatically use the wan connection as that will become the new default gateway until the VPN comes back up, which is why it's always better to specify gateways in your rules with an internet destination.

FusionItalian · April 30, 2017, 10:25pm

I too am having an issue with the Netflix rule they mentioned, however I'm using IVPN and routing within the US.

ivesen · April 30, 2017, 10:36pm

I'm wondering, why do you say it's a bad idea to do more than 50 ports in one rule?
I'd think taking all the ports in the range 0-1023 and running them through the vpn would be a decent start at least, since that'd take all web and ssh and other such utilities through your vpn while leaving most game services untouched.

And yes, I know that range is way overkill, and you only need ports 20-30, 80, and 443 for the most common services.

Dexter_Kane · April 30, 2017, 10:45pm

They mean for a service that uses a bunch of ports in a range that that range will usually not be larger than 50 so making a rule with a range larger than thayb(if you don't specifically know which ports or range the service uses) may overlap with other services and cause problems.

You can make rules with as large a range as you like, it was more of a rule of thumb than any sort of technical limitation.