The pfSense Store

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Topics - Xentrk

Pages: [1]
1
pfBlockerNG / DNSBL - Certificate error when acccessing github.com
« on: November 07, 2017, 09:20:28 pm »
I think this started with the 2.4.1 upgrade.

github.com is being blocked by one of the blocklists.  So I whitelisted the domain github.com by clicking on the plus sign to add the entry to the Custom Domain Whitelist in DNSBL. I bounced Unbound and cleared Firefox browser cache. 

I now get this error when trying to access github.com.

Code: [Select]
An error occurred during a connection to github.com. You have received an invalid certificate. Please contact the server administrator or email correspondent and give them the following information: Your certificate contains the same serial number as another certificate issued by the certificate authority. Please get a new certificate containing a unique serial number. Error code: SEC_ERROR_REUSED_ISSUER_AND_SERIAL

    The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
    Please contact the website owners to inform them of this problem.

If I disable DNSBL, I can access github.com with no issues.


2
Firewalling / Firewall blocking some websites
« on: August 16, 2017, 03:21:47 am »
For the past year, I routed all of my traffic to the VPN tunnel and everything went well. I now need to route some clients thru the WAN interface. I have created policy rules and at first, everything worked okay.  I started experiencing issues with http traffic being blocked for the clients that went thru the WAN interface.  Most of the sites were news and speed test sites.  I posted the issue here.

https://forum.pfsense.org/index.php?topic=135175.0

I thought I had the issue resolved earlier today by removing snort and unchecking some of the Suricata rules.  But now a new issue is appearing.  I started getting blocked on cnn.com.  The other news and speed test sites are okay so far.  So, I removed Suricata all together to eliminate that as the potential issue.  When I look at the logs and click on the X, I see the message:

The rule that triggered this action is:

@9(1000000103) block drop in log inet all label "Default deny rule IPv4"

Attached are sample entries.

When I do a nslookup, I see the ipv4 ip address did not get returned:

nslookup cnn.com
Server:  pfSense.mydomain.com
Address:  192.168.4.1

Name:    cnn.com
Addresses:  2a04:4e42:600::323
          2a04:4e42::323
          2a04:4e42:400::323
          2a04:4e42:200::323


A few minutes later, I try again, and they appear:

nslookup cnn.com
Server:  pfSense.mydomain.com
Address:  192.168.4.1

Non-authoritative answer:
Name:    cnn.com
Addresses:  2a04:4e42:600::323
          2a04:4e42::323
          2a04:4e42:400::323
          2a04:4e42:200::323
          151.101.129.67
          151.101.1.67
          151.101.65.67
          151.101.193.67

I did not do anything that I am aware of to get the ipv4 address working again.   

I also run pfBlockerNG on the WAN and two VPN Client interfaces.  Any ideas are welcome.  Thank you!

Update
After posting this, I left for two hours and returned home. I wanted to go to the pfsense doc web site to read more about firewall and what  could be causing my grief. The page doc.pfsense.org could not be loaded. Good grief!  Notice how the ipv4 ip address for the site is not listed when performing a nslookup.

nslookup doc.pfsense.org
Server:  pfSense.mydomain.com
Address:  192.168.4.1

Name:    doc.pfsense.org
Address:  2610:160:11:11::68


3
IDS/IPS / "Block snort2c hosts" blocking http traffic for LAN clients
« on: August 14, 2017, 02:12:52 am »
For the past year, I've had all traffic on the LAN go thru the VPN tunnel.  Everything worked great.

I recently created firewall rules on the LAN to route some clients over the WAN interface and others over the VPN interface.  The clients that go thru the VPN interface are fine.  The issue is with the clients that go thru the WAN interface.  The firewall is blocking http traffic for these clients.  https traffic is okay.  When I go to the firewall system log and click on the "x", I see this message:

@51(1000000118) block drop log quick from any to <snort2c:10> label "Block snort2c hosts"

I am running both suricata and snort.  Turning off both of them does not fix the problem. However, if I reboot the router, there is a three minute window where the http traffic can get thru to the WAN from the LAN before it gets blocked. 

I am not sure how to fix this issue. I went back thru the pfsense docs for snort and created a pass list for LAN clients and implemented it. But it did not work. Plus, the default list should have handled this situation. So I removed it. 

I hope that someone can help point me in the right direction. 

Thank You!

--------UPDATE-------
I have http traffic flowing on the LAN interface now.  What I did was stopped Suricata WAN Interface (LAN is set to monitoring only).  I browsed to the http sites and they worked.  I then went back into Suricata WAN gui page, disabled logging for DNS, Stats and TLS, which are the defaults. I then enabled and saved.  I was still able to browse the http sites that were blocked even though I had enabled Suricata.  I don't see anymore block entries in the firewall logs. 

This fix makes no sense to me.  I am hesitant to claim a solution until this has been up and running awhile without further blocks. I will take some time to review the rules again. 

4
DHCP and DNS / [SOLVED] dnsmasq log file equivelent for DNS Resolver
« on: August 05, 2017, 09:33:00 pm »
On my ASUS router, I recently watched the dnsmasq.log (tail f dnsmasq.log) to identify the domains being referenced by a streaming media channel so I could create policy rules and route traffic between two OpenVPN clients.  I was able to configure both my pfSense appliance and the ASUS router for my use case using policy rules with the firewall using the domain names that were identified.

I am using pfBlockerNG and DNS Resolver. DNS Resolver does not appear to use dnsmasq from what I can tell. Is there an equivalent dnsmasq log file for DNS Resolver I can look at to see the domain names being reference by my LAN traffic?   I saw a file called /var/logresolver.log.  But this only contained the domain names I had used in my firewall alias and firewall rules to route the traffic.  Where are the domain name LAN traffic being logged to when using DNS Resolver? Googling not helping thus far.

Thank you.

Solution


After a few day of off and on googling for a solution, I was finally able to find the solution at this site:

https://doc.pfsense.org/index.php/DNS_Forwarder_Troubleshooting

In summary, in the DNS Resolver web gui page, you have to add the option log-queries: yes in the Custom options box. I then need to go to Status, Systems Log, Settings and turn on remote logging and check the box for DNS Events (Resolver/unbound, Forwarder/dnsmasq, filterdns).  If I don't do this, I don't see unbound domain names entries logged in resolver.log. 

To view the entries, you can tail -f /var/log/resolver.log

Or, you can install kiwi system log on your client machine (mine is Win 10) and watch the entries as you navigate websites or steaming media sites.

https://linhost.info/2010/07/pfsense-remote-logging-to-kiwi-syslog-server/

Note that there is a newer version of kiwi syslog and I was not able to get it working. I'll try again. So I reverted to the older version I already has installed. 

I need this information as I want to route certain traffic between two OpenVPN client gateways depending on the domain names the traffic generates.  For example, I am able to use this information to identify what domains are being called when I turn on a certain media steaming site.  I can then create firewall rules to route this traffic to a VPN server in a large market to have more channels. 

5
I am having issues with my Roku 4 player not being able to stream videos on CBS All Access, PBS and CNET. I select a video, it starts to stream, then returns me to the home screen.  When I disable pfBlockerNG, the channels work.  Likewise, if I plug the ETH cable form the Roku 4 into my ASUS AC88U router, it works there too.  So I suspect pfBlockerNG is blocking traffic from these channels to their servers.

How can I troubleshoot this issue? I perhaps need to see what server ip addresses these channels are connecting to and whitelist them?  I tried whitelisting cbs.com, pbs.org and cnet.com in DNSBL, Custom Domain Whitelist.  This did not fix the issue. 

Thanks for the help!

7
pfBlockerNG / Privacy-Filter
« on: April 23, 2017, 06:16:05 am »
To block sites that collect information about you and is for blocking Telemetry and some Android Rootkit along with Shodan.io Scanners.  Original script source https://github.com/RMerl/asuswrt-merlin/wiki/Ipset-script-installation-instructions#privacy-filter

To make this work on pfSense, create a DNSBL feed called Privacy-Filter and add the following under Custom Block List.  List Action is Unbound. 

Code: [Select]
a.rad.msn.com
a-0001.a-msedge.net
a-0002.a-msedge.net
a-0003.a-msedge.net
a-0004.a-msedge.net
a-0005.a-msedge.net
a-0006.a-msedge.net
a-0007.a-msedge.net
a-0008.a-msedge.net
a-0009.a-msedge.net
ac3.msn.com
aidps.atdmt.com
aka-cdn-ns.adtech.de
b.ads1.msn.com
b.rad.msn.com
bs.serving-sys.com
c.atdmt.com
c.msn.com
choice.microsoft.com
choice.microsoft.com.nsatc.net
corp.sts.microsoft.com
corpext.msitadfs.glbdns2.microsoft.com
db3aqu.atdmt.com
df.telemetry.microsoft.com
diagnostics.support.microsoft.com
fe2.update.microsoft.com.akadns.net
feedback.microsoft-hohm.com
feedback.search.microsoft.com
feedback.windows.com
flex.msn.com
g.msn.com
h1.msn.com
i1.services.social.microsoft.com
lb1.www.ms.akadns.net
live.rads.msn.com
m.adnxs.com
msedge.net
msnbot-65-55-108-23.search.msn.com
msntest.serving-sys.com
oca.telemetry.microsoft.com
pre.footprintpredict.com
preview.msn.com
rad.live.com
rad.msn.com
redir.metaservices.microsoft.com
reports.wes.df.telemetry.microsoft.com
s.gateway.messenger.live.com
s0.2mdn.net
schemas.microsoft.akadns.net
secure.adnxs.com
secure.flashtalking.com
services.wes.df.telemetry.microsoft.com
settings-sandbox.data.microsoft.com
settings-win.data.microsoft.com
sls.update.microsoft.com.akadns.net
sqm.df.telemetry.microsoft.com
sqm.telemetry.microsoft.com
sqm.telemetry.microsoft.com.nsatc.net
static.2mdn.net
statsfe1.ws.microsoft.com
statsfe2.update.microsoft.com.akadns.net
statsfe2.ws.microsoft.com
survey.watson.microsoft.com
telecommand.telemetry.microsoft.com
telemetry.appex.bing.net
telemetry.microsoft.com
telemetry.urs.microsoft.com
view.atdmt.com
vortex.data.microsoft.com
vortex-sandbox.data.microsoft.com
vortex-win.data.microsoft.com
watson.live.com
watson.microsoft.com
watson.ppe.telemetry.microsoft.com
watson.telemetry.microsoft.com
wes.df.telemetry.microsoft.com
www.msftncsi.com
nametests.com
oyag.lhzbdvm.com
oyag.prugskh.net
oyag.prugskh.com
census1.shodan.io
census2.shodan.io
census3.shodan.io
census4.shodan.io
census5.shodan.io
census6.shodan.io
census7.shodan.io
census8.shodan.io
census9.shodan.io
census10.shodan.io
census11.shodan.io
census12.shodan.io
atlantic.census.shodan.io
pacific.census.shodan.io
rim.census.shodan.io
pirate.census.shodan.io
ninja.census.shodan.io
border.census.shodan.io
burger.census.shodan.io
atlantic.dns.shodan.io
hello.data.shodan.io

8
pfBlockerNG / Blocking Microsoft Spy Servers
« on: April 23, 2017, 06:11:03 am »
Thought I would share this one. Under pfBlockNG, select IPv4.  Create an Alias called Microsoft Spy Servers. List Acton = Deny Both.  Go to IPv4 Custom List, add the following IP addresses:

Code: [Select]
23.99.10.11 63.85.36.35 63.85.36.50 64.4.6.100 64.4.54.22 64.4.54.32 64.4.54.254 65.52.100.7 65.52.100.9 65.52.100.11 65.52.100.91 65.52.100.92 65.52.100.93 65.52.100.94 65.55.29.238 65.55.39.10 65.55.44.108 65.55.163.222 65.55.252.43 65.55.252.63 65.55.252.71    65.55.252.92 65.55.252.93 66.119.144.157 93.184.215.200 104.76.146.123 111.221.29.177 131.107.113.238 131.253.40.37 134.170.52.151 134.170.58.190 134.170.115.60 134.170.115.62 134.170.188.248 157.55.129.21 157.55.133.204 157.56.91.77 168.62.187.13 191.234.72.183 191.234.72.186 191.234.72.188 191.234.72.190 204.79.197.200 207.46.223.94 207.68.166.254
Save and force an update!

Sources
https://raw.githubusercontent.com/shounak-de/misc-scripts/master/create-ipset-lists.sh
https://github.com/RMerl/asuswrt-merlin/wiki/Ipset-script-installation-instructions#tor-and-countries-block


9
pfBlockerNG / pfBlockerNG with OpenVPN client
« on: March 07, 2017, 09:22:03 am »
Hello,

I'm using release 2.3.3.  I recently read through the forum and read websites on how to configure pfBlockerNG for ad blocking.  I have a WAN, LAN and OpenVPN Client interface called TGInterface.  This is a Torguard OpenVPN client to my rivate-ip address. All clients/traffic use the TGInterface interface. I can access websites when I change from DNS Forwarder to DNS Resolver without enabling pfBlockerNG. But when I enable pfBlockerNG with DNSBL, I can't access the internet.  How can I configure pfBlockerNG to play nice with the OpenVPN client interface so I can browse ad free while all traffic is using the OpenVPN client interface?

Thanks!

Pages: [1]