This is an old revision of the document!
Table of Contents
PFSense - pfBlockerNG - Bypass pfBlockerNG for specific clients
Navigate to Services → DNS Resolver.
In the General Settings tab. change:
- Custom options:
server:private-domain: "plex.direct" server:include: /var/unbound/pfb_dnsbl.*conf
to
- Custom options:
server:private-domain: "plex.direct" server: access-control-view: 192.168.50.0/24 bypass access-control-view: 192.168.1.0/24 dnsbl access-control-view: 192.168.70.0/24 dnsbl view: name: "bypass" view-first: yes view: name: "dnsbl" view-first: yes include: /var/unbound/pfb_dnsbl.*conf
NOTE: Do not have multiple server options against the access-control-view settings.
Also, do not have the word server: in front of the following statement server:include: /var/unbound/pfb_dnsbl.*conf.
The following line may be needed above the include: /var/unbound/pfb_dnsbl.*conf line: include: /var/unbound/host_entries.conf.
WARNING: If you do an update, disable and re-enable DNSBL the line include: /var/unbound/pfb_dnsbl.*conf will be reset back to the standard entry to start with the word server:, so will become server:include: /var/unbound/pfb_dnsbl.*conf.
You will need to check each time and remove any leading server: to ensure your expected behavior works as expected.
This is hard-coded into pfBlockerNG, until this is fixed.
Another example
Use Cloudflares DNS over TLS hence the forward-zone configuration.
server:
private-domain: "plex.direct"
access-control-view: 192.168.1.51/32 bypass
access-control-view: 192.168.1.61/32 bypass
access-control-view: 192.168.1.83/32 bypass
access-control-view: 2601:abcd:abcd:abc0::/64 dnsbl
access-control-view: 2601:abcd:abcd:abc1::/64 dnsbl
access-control-view: 2601:abcd:abcd:abc2::/64 dnsbl
access-control-view: 192.168.1.0/24 dnsbl
access-control-view: 192.168.2.0/24 dnsbl
access-control-view: 192.168.3.0/24 dnsbl
rrset-roundrobin: yes
forward-zone:
name: "."
forward-ssl-upstream: yes
# Cloudflare DNS
forward-addr: 1.1.1.1@853
forward-addr: 1.0.0.1@853
forward-addr: 2606:4700:4700::1111@853
forward-addr: 2606:4700:4700::1001@853
view:
name: "bypass"
view-first: yes
#include: /var/unbound/host_entries.conf
view:
name: "dnsbl"
view-first: yes
include: /var/unbound/host_entries.conf
# local-zone: "youtube.com" inform_deny
# local-zone: "facebook.com" inform_deny
include: /var/unbound/pfb_dnsbl.*conf
NOTE: A 192.168.0.0/22 mask (CIDR) for the IPv4 subnets it does not work, I instead had to define each subnet with /24. Maybe a /16 would have worked?
Same problem with IPv6. (note, the examples mask my real IPv6 prefix), I had to define multiple /64's as a single /62 did not work.
The dnsbl view needed to have include: /var/unbound/host_entries.conf otherwise the host overrides did not resolve. For some reason however that was not required for the bypass view, which seems to operate quite happily without the include: hence it is commented out.
The two commented out local-zone's are an easy way to block social media.
Enforce Google, YouTube, Bing and DuckDuckGo SafeSearch
server:
access-control-view: 192.168.10.0/24 bypass
access-control-view: 192.168.20.0/24 dnsbl
view:
name: "bypass"
view-first: yes
view:
name: "dnsbl"
view-first: yes
include: /var/unbound/pfb_dnsbl.*conf
local-data: "www.google.com 60 IN A 216.239.38.120"
local-data: "www.youtube.com 60 IN A 216.239.38.119"
local-data: "www.bing.com 60 IN A 204.79.197.220"
local-data: "duckduckgo.com 60 IN A 107.20.240.232"
These entries added in our “dnsbl” view force all clients in this group (192.168.20.x) to the SafeSearch address for each of the four services included.
We have to add them here as adding them as a Host Override on the DNS Resolver configuration page would enforce them for all clients.
References
https://mitky.com/pfblockerng-pfsense-filter-specific-clients-computers-network/
https://forum.netgate.com/topic/129365/bypassing-dnsbl-for-specific-ips/9
https://www.reddit.com/r/pfBlockerNG/comments/9z0g28/bypass_dnsbl_based_on_ip_alias_or_interface/
https://jpmens.net/2016/12/20/unbound-supports-views-for-local-data/
https://medium.com/nlnetlabs/response-policy-zones-in-unbound-5d453de75f26