pfSense Gold Subscription

Author Topic: Correct Way to Bypass  (Read 291 times)

0 Members and 1 Guest are viewing this topic.

Offline Cardnyl

  • Newbie
  • *
  • Posts: 9
  • Karma: +0/-0
    • View Profile
Correct Way to Bypass
« on: December 17, 2017, 11:40:42 am »
I need to setup a bypass for some streaming media type devices because these devices are setup in such a way that if the ads content isn't displayed the devices can tell and subsequently halt viewing of the content. Best example of this is many of the apps built into an appleTV (Fox, CBS, etc.). If the commercials don't display because of pfblocker then the whole show comes screeching to a halt.

I set up an alias (StreamingMediaDevices) that includes all of these devices on my network. I've attached screenshots showing the ideal rules order I'd like to use along with the rules sorting option I have selected. Manual reordering doesn't work permanently because the rules are re-sorted by pfblocker every so often. I went so far as to adjust the description for my StreamingMediaDevice rule (the rule below the anti-lockout in the screenshot) to "pfB_Bypass" and upon reload the rule is completely deleted.

What is the correct way to allow a subset of devices to completely skirt pfblocker protection?

Offline BBcan177

  • Moderator
  • Hero Member
  • *****
  • Posts: 2601
  • Karma: +810/-5
    • View Profile
    • Click for Support
Re: Correct Way to Bypass
« Reply #1 on: December 18, 2017, 09:49:51 pm »
I need to setup a bypass for some streaming media type devices because these devices are setup in such a way that if the ads content isn't displayed the devices can tell and subsequently halt viewing of the content. Best example of this is many of the apps built into an appleTV (Fox, CBS, etc.). If the commercials don't display because of pfblocker then the whole show comes screeching to a halt.

If you are trying to bypass DNSBL domain blocking with Firewall rules, it will never work... They are two different animals...

If you don't want some devices to be filtered by DNSBL, then define their DNS settings to use a different DNS server (ie: 8.8.8.8 )...

Quote
Manual reordering doesn't work permanently because the rules are re-sorted by pfblocker every so often.

The Rules are order according to the pfBlockerNG Rule Order setting... You could try to create your Permit rules in pfBlockerNG, or use "Alias type" rules and manually create the rules as required for your particular use-case...
"Experience is something you don't get until just after you need it."

 | http://pfblockerng.com | Twitter @BBcan177  | #pfBlockerNG |

Offline Cardnyl

  • Newbie
  • *
  • Posts: 9
  • Karma: +0/-0
    • View Profile
Re: Correct Way to Bypass
« Reply #2 on: December 19, 2017, 09:29:58 am »
I need to setup a bypass for some streaming media type devices because these devices are setup in such a way that if the ads content isn't displayed the devices can tell and subsequently halt viewing of the content. Best example of this is many of the apps built into an appleTV (Fox, CBS, etc.). If the commercials don't display because of pfblocker then the whole show comes screeching to a halt.

If you are trying to bypass DNSBL domain blocking with Firewall rules, it will never work... They are two different animals...

If you don't want some devices to be filtered by DNSBL, then define their DNS settings to use a different DNS server (ie: 8.8.8.8 )...

Quote
Manual reordering doesn't work permanently because the rules are re-sorted by pfblocker every so often.

The Rules are order according to the pfBlockerNG Rule Order setting... You could try to create your Permit rules in pfBlockerNG, or use "Alias type" rules and manually create the rules as required for your particular use-case...

I modified the static DHCP reservations for the devices in question to use a different set of DNS servers other than my pfsense box.

The part I'm unsure of is where specifically to make the permit rules you mentioned. The only way I've been able to keep the permit rule is if I create an IPv4 feed and modify the "Advanced Outbound Firewall Rule Settings" section to specifically use my alias as the source (see attachment). The "list" field must be populated otherwise it doesn't actually create the rule for me. Is this what you meant by making the permit rules in pfblockerNG?

The second suggestion you mentioned was manual creation of the rules to achieve what I want but I don't see how that is feasible. There doesn't appear to be a single rule order option in what is provided to achieve the rule order in the screenshot of my first post. In case the screenshot isn't viewable the rule order at a high level is as follows:

pfsense Anti-Lockout
My manually created bypass rule for pfblockerNG
pfblockerNG's auto populated denies
My manually created deny
pfsense's auto populated passes for ipv4/6 traffic

There would need to be a 6th option added which doesn't re-order the rules at all.

Offline BBcan177

  • Moderator
  • Hero Member
  • *****
  • Posts: 2601
  • Karma: +810/-5
    • View Profile
    • Click for Support
Re: Correct Way to Bypass
« Reply #3 on: December 19, 2017, 06:22:20 pm »
The part I'm unsure of is where specifically to make the permit rules you mentioned.

In the IPv4 tab, Set the "Action" to a Permit setting.

Quote
The second suggestion you mentioned was manual creation of the rules to achieve what I want but I don't see how that is feasible. There doesn't appear to be a single rule order option in what is provided to achieve the rule order in the screenshot of my first post.

In the same "Action" setting select one of the "Alias" types. This will create the aliastable with the IPs, but will not create any rules... You can then manually create the rules as required and associate the aliastables in those rules...

Click on the blue ( i ) infoblock icons in the IPv4 Tab for additional details.
"Experience is something you don't get until just after you need it."

 | http://pfblockerng.com | Twitter @BBcan177  | #pfBlockerNG |

Offline Cardnyl

  • Newbie
  • *
  • Posts: 9
  • Karma: +0/-0
    • View Profile
Re: Correct Way to Bypass
« Reply #4 on: December 21, 2017, 09:39:30 am »
The part I'm unsure of is where specifically to make the permit rules you mentioned.

In the IPv4 tab, Set the "Action" to a Permit setting.

Quote
The second suggestion you mentioned was manual creation of the rules to achieve what I want but I don't see how that is feasible. There doesn't appear to be a single rule order option in what is provided to achieve the rule order in the screenshot of my first post. Unless the rule is made by pfblocker itself there's simply no way to create the rule order shown.

In the same "Action" setting select one of the "Alias" types. This will create the aliastable with the IPs, but will not create any rules... You can then manually create the rules as required and associate the aliastables in those rules...

Click on the blue ( i ) infoblock icons in the IPv4 Tab for additional details.

I tried the alias settings you mentioned. I was able to reference the alias in a manual firewall rule but the rule ordering issue still applies - there isn't a rule ordering option that allows me to keep the manual bypass rule above the automatically generated blocks while ensuring that the default pfsense pass rules stay below the pfblocker block rules. Take a look at the rules screenshot from the original post. 

I opted for the first suggestion you made (setting the action to permit) using the settings shown in the screenshots. I need to run some tests to make sure the devices are actually operating correctly and will post back soon.

Offline BBcan177

  • Moderator
  • Hero Member
  • *****
  • Posts: 2601
  • Karma: +810/-5
    • View Profile
    • Click for Support
Re: Correct Way to Bypass
« Reply #5 on: December 21, 2017, 07:49:19 pm »
Click on the ( i ) infoblock in the IPv4 tab in the "List Action" setting... This will explain how to use "Alias type" rules... All the rules that you are showing are "Auto" type rules..... You need to use either "Alias Deny", "Alias Permit", "Alias Match" or "Alias Native".
"Experience is something you don't get until just after you need it."

 | http://pfblockerng.com | Twitter @BBcan177  | #pfBlockerNG |