Using pfSense with a L3 core switch

[Christos]

I switched today from DNS forwarding to DNS resolver.

DNS resolver seems faster and more reliable. I've been using unbound in this mode for the past 3-4 months and don't plan to change it.

 

[coxhaus]

Yes, but there was a bug so I switched to DNS Forwarding which was patched in version 24.03. So now I switched back.

Unbound - CVE-2023-50387 and CVE-2023-50868

Was just reading about CVE-2023-50387 which seems to affect all DNS resolvers that support DNSSec. It seems NLnetlabs has released an Unbound patch today. ht...

forum.netgate.com

 

[ddaenen1]

I haven't made the upgrade yet. Waiting for a suitable slot at home.

 

[coxhaus]

Yes, my wife went on a trip with her best friend so I had plenty of time to test but it turns out I did not need it. I was up and running in under 10 minutes. It was probably faster but I forgot I had to log in again as it kept telling me it was not ready so I waited.
I tried my monitor but it would not sync as it has been turned off too long. It takes a reboot to sync the monitor and of course you cannot reboot during an upgrade. Next time I will have the monitor working before I upgrade. Just so I can watch the progress.

 

[ddaenen1]

Upgraded today to 24.03. Pretty uneventful. Interface seems a bit snappier though and i also have the impression that the HAproxy pass-through is a bit faster. Had a small issue with accessing my cloud-server but it seems an entry i had to change with a previous upgrade needed to go back to the original setting.

 

[coxhaus]

So, I came across these settings. I am trying them. Except I don't run pfblocker. I have an ACL to allow only QUAD9 DNS out. Any comment? I am not sure what enable Python would do for me if I don't run pfblocker.

This should help

System / General Setup

• DNS Servers: Provide resolvers of your choice
• DNS Resolution Behavior: Use local DNS (127.0.0.1), ignore remote DNS Servers

Services / DNS Forwarder

• Leave disabled

Services / DNS Resolver / General Settings

• Untick 'Enable DNSSEC Support'
• Tick 'Enable Python Module'
• Tick 'Enable Forwarding Mode'

Services / DNS Resolver / Advanced Settings

• Tick 'Query Name Minimization'
• Tick 'Prefetch Support'
• Tick 'Prefetch DNS Key Support'
• Untick 'Harden DNSSEC Data'

Firewall / pfBlockerNG / IP / IPv4

• Disable any lists you don't use (these can incur a significant performance hit)

Firewall / pfBlockerNG / IP / IPv6

• Disable any lists you don't use (these can incur a significant performance hit)

Firewall / pfBlockerNG / DNSBL

• Tick 'DNSBL Blocking'
• Tick 'CNAME Validation'

Firewall / pfBlockerNG / DNSBL / DNSBL

• Logging / Blocking Mode: Null Blocking (no logging) or Null Blocking (logging)

 

[coxhaus]

So, we have a friend over that is using google cloud and running a VPN to a client working. They lost power in the big storm we had a few days ago so they are here working. Pfsense seems to be working well. The only thing I noticed is we are 2% higher on CPU usage on my i3.

 

[coxhaus]

So, I was reading today about Skynet and unbound hitting China's Authoritative servers even though China is blocked. It got me thinking. If I am running unbound on Pfsense I guess the same thing will happen? Even if I am running Pfblocker? It might be better to run Forwarding so China will be blocked and their servers will not be hit. I am I thinking about this right?
I just switched back to Forwarding and I don't really notice a lot of difference using Pfsense 24.03 and QUAD9.

 

[dave14305]

If I am running unbound on Pfsense I guess the same thing will happen? Even if I am running Pfblocker?

It depends if pfblockerng’s rules block outbound traffic originating from the router, or just the LAN. Skynet does both.

 

[ddaenen1]

So, I was reading today about Skynet and unbound hitting China's Authoritative servers even though China is blocked. It got me thinking. If I am running unbound on Pfsense I guess the same thing will happen? Even if I am running Pfblocker? It might be better to run Forwarding so China will be blocked and their servers will not be hit. I am I thinking about this right?
I just switched back to Forwarding and I don't really notice a lot of difference using Pfsense 24.03 and QUAD9.

I am really wondering why you spend so much time tinkering around with the DNS settings. Mine have always worked perfectly fine. I use the unbound DNS resolver with local DNS first and forward to servers (1.1.1.1 , 1.0.0.1) configured in general settings. I have not seen any difference with this instead of using the authorative servers instead.

I do use pfBlockerNG though.

 

[coxhaus]

It depends if pfblockerng’s rules block outbound traffic originating from the router, or just the LAN. Skynet does both.

Interesting. Yes, if you block them on the WAN side then China will receive the packet and it will be blocked on the return from China. So, yes you really need to block on the LAN side so they do not receive a packet.

In the old days I tried to blocked China with ACLs. I had a couple pages of ACLs. I would watch SNORT and track them down and add them to my ACLs. I have them documented somewhere. Nowadays I don't bother too much work and I am sure they just relay off of US sites. I had some Chinese Universities in there also.
I decided now to just live with QUAD9 and not worry about the rest. I know it is not a complete overlap but hacking is so sophisticated now and I am out of the know being retired for 20 years.

Back in the real old days when the 1 network was given to the Chinese. I was hacked, my web server and router. My DNS was changed to 1.1.1.1 and all my DNS traffic was very slow. I assume routing through China. I did trace routes back then. It was probably 25 years ago, maybe more as I was still working back then. I guess 1.1.1.1 was moved out of China and to where ever it is now. So, I will never use Cloudflare or the 1 network for anything.

PS
I thought about this some and if you block on the LAN and you do much local routing you may take a hit on speed if you have many ACLs especially with a layer 2 switch. You will be much better off using a layer 3 switch for local routing so you will not hit LAN ACLs for China that exist on the router. This is the way I have my network set up.

 

[coxhaus]

It depends if pfblockerng’s rules block outbound traffic originating from the router, or just the LAN. Skynet does both.

So, I had this discussion on Pfsense forums recently about this. You can read the whole discussion if you want. I just picked a country at random. I am playing with the idea of Pfblocker but I have to fully understand how it works.

Unbound vs Forwarding for DNS

So, if I use unbound for DNS and an Ad comes up requesting a China server it is going to hit a Chinese server requesting DNS. If I use Forwarding for DNS to...

forum.netgate.com

This is what I learned about Pfsense.

On the LAN side, outbound. So once the state table with the first connection packet is set to blocked by checking the rules then all other connection packets are blocked by the state table. but only the first packet is checked.

WAN firewall rules work on inbound only so they are not checked on outbound. Assume they work the same as outbound but instead are inbound.

This is kind of what I was thinking.

If you block China on the WAN side, then all data will be sent because WAN is not checked on outbound and the return packets will be blocked.

If China initiates and your block is on the LAN side then it will flow inbound because you are only blocking out bound but NAT takes care of it and blocks it.

So, you really want to block China on the LAN side.


Then I was corrected by Steve
"the state table doesn’t block anything it only allows what was previously allowed by firewall rule"

 

[Christos]

If you block China on the WAN side, then all data will be sent because WAN is not checked on outbound and the return packets will be blocked.

the return packets will be allowed because it is a stateful firewall and if a packet is allowed to leave, the reply is also allowed to pass.