Differences

This shows you the differences between two versions of the page.

--- pfsense:pfblockerng:bypass_pfblockerng_for_specific_clients [2020/04/12 00:48] – [PFSense - pfBlockerNG - Bypass pfBlockerNG for specific clients] peter
+++ pfsense:pfblockerng:bypass_pfblockerng_for_specific_clients [2021/01/28 09:23] (current) – [PFSense - pfBlockerNG - Bypass pfBlockerNG for specific clients] peter
@@ Line 1: / Line 1: @@
 ====== PFSense - pfBlockerNG - Bypass pfBlockerNG for specific clients ======
+Unfortunately, even if the some interfaces are NOT selected as per this configuration, pfBlockerNG does NOT ignore them and still performs DNSBL checking.
+To have pfBlockerNG ignore some interfaces, such as the CLEAR network in this diagram, pfSense needs to use a different DNS server.
+{{:pfsense:pfblockerng:pfsense_pfblockerng_dnsbl_permit_firewall_rules_multiple_lans.png?800|}}
+----
 Navigate to **Services -> DNS Resolver**.
-In the **General Settings** tab. change:
+In the **General Settings** tab, change:
   * Custom options: <code>
-server:private-domain: "plex.direct"
+server:
+    private-domain: "plex.direct"
-server:include: /var/unbound/pfb_dnsbl.*conf
+    include: /var/unbound/pfb_dnsbl.*conf
 </code>
@@ Line 14: / Line 23: @@
   * Custom options: <code>
-server:private-domain: "plex.direct"
 server:
-    access-control-view: 192.168.50.0/24 bypass
+    private-domain: "plex.direct"
     access-control-view: 192.168.1.0/24 dnsbl
+    access-control-view: 192.168.50.0/24 bypass
     access-control-view: 192.168.70.0/24 dnsbl
 view:
@@ Line 36: / Line 44: @@
 Also, do not have the word **server:** in front of the following statement **server:include: /var/unbound/pfb_dnsbl.*conf**.
-The following line may be needed above the **include: /var/unbound/pfb_dnsbl.*conf** line:  **include: /var/unbound/host_entries.conf**.
+The following line may be needed above the **include: /var/unbound/pfb_dnsbl.*conf** line: <code>include: /var/unbound/host_entries.conf</code>
 </WRAP>
@@ Line 43: / Line 52: @@
 **WARNING:** If you do an update, disable and re-enable DNSBL the line **include: /var/unbound/pfb_dnsbl.*conf** will be reset back to the standard entry to start with the word **server:**, so will become **server:include: /var/unbound/pfb_dnsbl.*conf**.
-You will need to check each time and remove any leading **server:** to ensure your expected behavior works as expected.
+This is hard-coded into pfBlockerNG, and until this is fixed, you will need to check each time and remove any leading **server:** to ensure your expected behavior works as expected.
-This is hard-coded into pfBlockerNG, until this is fixed.
 </WRAP>
@@ Line 92: / Line 100: @@
 <WRAP info>
-**NOTE:**  A 192.168.0.0/22 mask (CIDR) for the IPv4 subnets it does not work, I instead had to define each subnet with /24. Maybe a /16 would have worked?
+**NOTE:**  A 192.168.0.0/22 mask (CIDR) for the IPv4 subnets did not work, I instead had to define each subnet with /24. Maybe a /16 would have worked?
 Same problem with IPv6. (note, the examples mask my real IPv6 prefix), I had to define multiple /64's as a single /62 did not work.
@@ Line 123: / Line 131: @@
 </code>
-These entries added in our “dnsbl” view force all clients in this group (192.168.20.x) to the SafeSearch address for each of the four services included.
+<WRAP info>
+**NOTE:**  These entries added in the **dnsbl** view force all clients in this group (192.168.20.x) to the SafeSearch address for each of the four services included.
-We have to add them here as adding them as a Host Override on the DNS Resolver configuration page would enforce them for all clients.
+These have to be added here, as adding them as a Host Override on the DNS Resolver configuration page, would enforce them for all clients.
+</WRAP>
+----
+===== Allow websites on a per client basis =====
+  * group A allow websites X and deny websites Y
+  * group B allow websites X and allow websites Y
+  * group C allow websites X and allow websites Y and allow websites Z
+pfBlockerNG can do this using the new tag feature in [[https://www.nlnetlabs.nl/blog/2016/12/22/client-based-filtering-in-unbound/|Unbound]].
+<WRAP info>
+**NOTE:**  Tagging is only supported in Unbound 1.5.10 on-wards, so you may need to update your pfSense.
+</WRAP>
+Navigatge to **Services -> DNS Resolver -> Custom Options**.
+<code>
+# give pfSense a server: tag so it puts directives in correct place
+server:
+# Define a new tag.
+define-tag: "websiteX"
+define-tag: "websiteY"
+define-tag: "websiteZ"
+# Create access control entry.
+access-control: 10.1.1.0/24 allow  # group A
+access-control: 10.1.2.0/24 allow  # group B
+access-control: 10.1.3.0/24 allow  # group C
+# Tag the access.
+# Allocate IP ranges to the tag.
+access-control-tag: 10.1.1.0/24 "websiteX"
+access-control-tag: 10.1.2.0/24 "websiteX"
+access-control-tag: 10.1.3.0/24 "websiteX"
+access-control-tag: 10.1.1.0/24 "websiteY"
+access-control-tag: 10.1.2.0/24 "websiteY"
+access-control-tag: 10.1.3.0/24 "websiteY"
+access-control-tag: 10.1.1.0/24 "websiteZ"
+access-control-tag: 10.1.2.0/24 "websiteZ"
+access-control-tag: 10.1.3.0/24 "websiteZ"
+# Create the local-zone, and allow normal service
+#  which allows non-blocked users access
+#  and allow all types like A and AAAA and CNAME.
+local-zone: www.websitex.com typetransparent
+local-zone: www.websitey.com typetransparent
+local-zone: www.websitez.com typetransparent
+# Tag the domain.
+local-zone-tag: www.websitex.com websiteX
+local-zone-tag: www.websitey.com websiteY
+local-zone-tag: www.websitez.com websiteZ
+# Ensure local data served first.
+access-control-tag-action: 10.1.1.0/24 "websiteY" redirect
+access-control-tag-action: 10.1.2.0/24 "websiteZ" redirect
+# Send users to your polite internal block page.
+access-control-tag-data: 10.1.1.0/24 "websiteY" "A 10.1.1.1"
+access-control-tag-data: 10.1.2.0/24 "websiteZ" "A 10.1.1.1"
+</code>
 ----
@@ Line 140: / Line 214: @@
 https://medium.com/nlnetlabs/response-policy-zones-in-unbound-5d453de75f26
+https://www.nlnetlabs.nl/blog/2016/12/22/client-based-filtering-in-unbound/