Return to Level1Techs.com

(Solved) (pfSense) Why does this rule not work as I want it to?


#1

I want to block all DNS traffic for all clients on the APPort, directly to any WAN address (and only allow them to use the internal DNS server).

What am I doing wrong? .-.

Thanks!


#2


https://www.netgate.com/docs/pfsense/dns/blocking-dns-queries-to-external-resolvers.html


#3

I thought what takes priority is on top?

Edit: also, does my “source port” matter, or should it be everything?


#4

Yeah it goes top to bottom first rule allows dns traffic to only the lan network the 2nd blocks any other dns traffic.


#5

Alright, i’ll try that tomorrow morning!


#6

What @mutation666 says is correct, the reason your rules don’t work is the destination is wan network. Wan network does not mean Internet it means the network that your wan ip is on, which is usually a /31 network anyway. So for traffic with a destination of ‘the internet’ you have to use either any or everything but your local networks (using aliases and the not check box).

Source should be any unless you want to have a rule for a specific source address. Using the interface network as source does the same this as any because only things with an ip on that network can be on that interface.

Source port is usually always any, you wouldn’t use something else unless you knew you had to.


#7

So this is what I did. With “SWITCHPORT Address,” it doesn’t work (doesn’t allow me to specify a single address, I think that’s what I’m suppose to do), however, with “SWITCHPORT net,” it just works. I would of thought that “Address” would allow me to specify an IP, but idk, guess not. Still learning about pfSense rules ¯\(ツ)

Solved? lol


#8

Something address means the ip address for pfsense on that interface, if you want to specify an address the option you want is ‘single host or alias’