Menu
What's new
By:
Filters Better Search

Using pfSense with a L3 core switch

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Yes, but there was a bug so I switched to DNS Forwarding which was patched in version 24.03. So now I switched back.
forum.netgate.com

Unbound - CVE-2023-50387 and CVE-2023-50868

Was just reading about CVE-2023-50387 which seems to affect all DNS resolvers that support DNSSec. It seems NLnetlabs has released an Unbound patch today. ht...
forum.netgate.com forum.netgate.com
 
Last edited:
I haven't made the upgrade yet. Waiting for a suitable slot at home.
 
Yes, my wife went on a trip with her best friend so I had plenty of time to test but it turns out I did not need it. I was up and running in under 10 minutes. It was probably faster but I forgot I had to log in again as it kept telling me it was not ready so I waited.
I tried my monitor but it would not sync as it has been turned off too long. It takes a reboot to sync the monitor and of course you cannot reboot during an upgrade. Next time I will have the monitor working before I upgrade. Just so I can watch the progress.
 
Last edited:
Upgraded today to 24.03. Pretty uneventful. Interface seems a bit snappier though and i also have the impression that the HAproxy pass-through is a bit faster. Had a small issue with accessing my cloud-server but it seems an entry i had to change with a previous upgrade needed to go back to the original setting.
 
So, I came across these settings. I am trying them. Except I don't run pfblocker. I have an ACL to allow only QUAD9 DNS out. Any comment? I am not sure what enable Python would do for me if I don't run pfblocker.

This should help

System / General Setup

  • DNS Servers: Provide resolvers of your choice
  • DNS Resolution Behavior: Use local DNS (127.0.0.1), ignore remote DNS Servers
Services / DNS Forwarder

  • Leave disabled
Services / DNS Resolver / General Settings

  • Untick 'Enable DNSSEC Support'
  • Tick 'Enable Python Module'
  • Tick 'Enable Forwarding Mode'
Services / DNS Resolver / Advanced Settings

  • Tick 'Query Name Minimization'
  • Tick 'Prefetch Support'
  • Tick 'Prefetch DNS Key Support'
  • Untick 'Harden DNSSEC Data'
Firewall / pfBlockerNG / IP / IPv4

  • Disable any lists you don't use (these can incur a significant performance hit)
Firewall / pfBlockerNG / IP / IPv6

  • Disable any lists you don't use (these can incur a significant performance hit)
Firewall / pfBlockerNG / DNSBL

  • Tick 'DNSBL Blocking'
  • Tick 'CNAME Validation'
Firewall / pfBlockerNG / DNSBL / DNSBL

  • Logging / Blocking Mode: Null Blocking (no logging) or Null Blocking (logging)
 
Last edited:
So, we have a friend over that is using google cloud and running a VPN to a client working. They lost power in the big storm we had a few days ago so they are here working. Pfsense seems to be working well. The only thing I noticed is we are 2% higher on CPU usage on my i3.
 
So, I was reading today about Skynet and unbound hitting China's Authoritative servers even though China is blocked. It got me thinking. If I am running unbound on Pfsense I guess the same thing will happen? Even if I am running Pfblocker? It might be better to run Forwarding so China will be blocked and their servers will not be hit. I am I thinking about this right?
I just switched back to Forwarding and I don't really notice a lot of difference using Pfsense 24.03 and QUAD9.
 
coxhaus said:
If I am running unbound on Pfsense I guess the same thing will happen? Even if I am running Pfblocker?
Click to expand...
It depends if pfblockerng’s rules block outbound traffic originating from the router, or just the LAN. Skynet does both.
 
coxhaus said:
So, I was reading today about Skynet and unbound hitting China's Authoritative servers even though China is blocked. It got me thinking. If I am running unbound on Pfsense I guess the same thing will happen? Even if I am running Pfblocker? It might be better to run Forwarding so China will be blocked and their servers will not be hit. I am I thinking about this right?
I just switched back to Forwarding and I don't really notice a lot of difference using Pfsense 24.03 and QUAD9.
Click to expand...

I am really wondering why you spend so much time tinkering around with the DNS settings. Mine have always worked perfectly fine. I use the unbound DNS resolver with local DNS first and forward to servers (1.1.1.1 , 1.0.0.1) configured in general settings. I have not seen any difference with this instead of using the authorative servers instead.

I do use pfBlockerNG though.
 
dave14305 said:
It depends if pfblockerng’s rules block outbound traffic originating from the router, or just the LAN. Skynet does both.
Click to expand...
Interesting. Yes, if you block them on the WAN side then China will receive the packet and it will be blocked on the return from China. So, yes you really need to block on the LAN side so they do not receive a packet.

In the old days I tried to blocked China with ACLs. I had a couple pages of ACLs. I would watch SNORT and track them down and add them to my ACLs. I have them documented somewhere. Nowadays I don't bother too much work and I am sure they just relay off of US sites. I had some Chinese Universities in there also.
I decided now to just live with QUAD9 and not worry about the rest. I know it is not a complete overlap but hacking is so sophisticated now and I am out of the know being retired for 20 years.

Back in the real old days when the 1 network was given to the Chinese. I was hacked, my web server and router. My DNS was changed to 1.1.1.1 and all my DNS traffic was very slow. I assume routing through China. I did trace routes back then. It was probably 25 years ago, maybe more as I was still working back then. I guess 1.1.1.1 was moved out of China and to where ever it is now. So, I will never use Cloudflare or the 1 network for anything.

PS
I thought about this some and if you block on the LAN and you do much local routing you may take a hit on speed if you have many ACLs especially with a layer 2 switch. You will be much better off using a layer 3 switch for local routing so you will not hit LAN ACLs for China that exist on the router. This is the way I have my network set up.
 
Last edited:
dave14305 said:
It depends if pfblockerng’s rules block outbound traffic originating from the router, or just the LAN. Skynet does both.
Click to expand...
So, I had this discussion on Pfsense forums recently about this. You can read the whole discussion if you want. I just picked a country at random. I am playing with the idea of Pfblocker but I have to fully understand how it works.

forum.netgate.com

Unbound vs Forwarding for DNS

So, if I use unbound for DNS and an Ad comes up requesting a China server it is going to hit a Chinese server requesting DNS. If I use Forwarding for DNS to...
forum.netgate.com forum.netgate.com

This is what I learned about Pfsense.

On the LAN side, outbound. So once the state table with the first connection packet is set to blocked by checking the rules then all other connection packets are blocked by the state table. but only the first packet is checked.

WAN firewall rules work on inbound only so they are not checked on outbound. Assume they work the same as outbound but instead are inbound.

This is kind of what I was thinking.

If you block China on the WAN side, then all data will be sent because WAN is not checked on outbound and the return packets will be blocked.

If China initiates and your block is on the LAN side then it will flow inbound because you are only blocking out bound but NAT takes care of it and blocks it.

So, you really want to block China on the LAN side.


Then I was corrected by Steve
"the state table doesn’t block anything it only allows what was previously allowed by firewall rule"
 
Last edited:
coxhaus said:
If you block China on the WAN side, then all data will be sent because WAN is not checked on outbound and the return packets will be blocked.
Click to expand...
the return packets will be allowed because it is a stateful firewall and if a packet is allowed to leave, the reply is also allowed to pass.
 
Christos said:
the return packets will be allowed because it is a stateful firewall and if a packet is allowed to leave, the reply is also allowed to pass.
Click to expand...
Go to know. That makes sense as once you have a connection then you are allowed a return packet. That is the way NAT works. So, a firewall rule will not override a NAT connection.

Since there is an open connection the firewall rules don't come into play.
 
Last edited:
coxhaus said:
Since there is an open connection the firewall rules don't come into play.
Click to expand...
To close the loop: Skynet implements blocking so that it ignores the stateful connection tracking in Linux netfilter by putting rules in the raw table. If somehow it misses the block on the outbound, it will catch it on the return.
 
coxhaus said:
My DNS was changed to 1.1.1.1 and all my DNS traffic was very slow. I assume routing through China. I did trace routes back then. It was probably 25 years ago, maybe more as I was still working back then. I guess 1.1.1.1 was moved out of China and to where ever it is now. So, I will never use Cloudflare or the 1 network for anything.
Click to expand...

that time back - 1.1.1.1 and the rest of the subnet was reserved...

one of the risks of running 1.1.1.1 as a DNS server... if cloudflare is blocked, well, that is what it is...
 
dave14305 said:
To close the loop: Skynet implements blocking so that it ignores the stateful connection tracking in Linux netfilter by putting rules in the raw table. If somehow it misses the block on the outbound, it will catch it on the return.
Click to expand...
I want to say that is the way I learned using Cisco firewalls 35 years ago. But a lot of time has passed since then and I am not up on current stuff.
 
sfx2000 said:
that time back - 1.1.1.1 and the rest of the subnet was reserved...

one of the risks of running 1.1.1.1 as a DNS server... if cloudflare is blocked, well, that is what it is...
Click to expand...
A lot of people complained about the 1 network as it was used in some of the big equipment back then. By now it can't be a problem because it was given to the Chinese.
 
sfx2000 said:
that time back - 1.1.1.1 and the rest of the subnet was reserved...

one of the risks of running 1.1.1.1 as a DNS server... if cloudflare is blocked, well, that is what it is...
Click to expand...
Is this really still a thing right now? If so, I'll be changing over to google instantly.
 
ddaenen1 said:
Is this really still a thing right now? If so, I'll be changing over to google instantly.
Click to expand...

I've seen this with a couple of captive portals for Hotel WiFi - older stuff, but still out there...

For most though, it's not an issue.
 
You must log in or register to reply here.

Similar threads

Phantomski
Questions about VLAN support in 3006
Replies
5
Views
527
Tech9
Tech9
Maverick009
Looking at purchasing a new WiFi7 AP. Deciding on brand to go with.
2
Replies
23
Views
4K
Tech9
Tech9
D
VLAN Config Query using pfSense and Unifi
Replies
18
Views
2K
awediohead
A
Oyster1286
Help with Designing Network (noob)
Replies
17
Views
2K
tgl
T
H
Asus Network design
Replies
13
Views
2K
OzarkEdge
OzarkEdge
Similar threads
Thread starter Title Forum Replies Date
C Using 2 routers (no bridge), DDNS configuration not working Routers 3
B Long shot but worth a shot? WFH using CISCO phone audio delay 5-10 seconds Routers 1
C Pfsense wins awards Routers 34

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 669 (members: 35, guests: 634)
Top