Skip to content
English - United States
Request Support My Tickets
Go to Dashboard
  • There are no suggestions because the search field is empty.

Configuring a list of devices exempt from access control in pfSense®

This article explains how to create a NAT port forwarding rule in pfSense® to redirect DNS queries from listed devices to a DNS server of your choice, whether internal or external. In the context of creating a list of devices exempt from Lumiun DNS access control, this rule is intended to redirect DNS queries to other servers, rather than directing them to Lumiun DNS servers, as is done with other controlled devices.

In this article, we will address two scenarios: With Internal DNS Server and Without Internal DNS Server.

Important: Before making this configuration, ensure that your pfSense® DNS service is working. To test it, use a command such as nslookup google.com 192.168.0.1
from any computer on your network, replacing 192.168.0.1 with your pfSense® IP address.

Note: Ensure that your pfSense® receives DNS queries only from your local network. If it is exposed to the internet, configure the firewall to allow access to port 53 (tcp and udp) only from the local network.

With internal DNS server

  1. Enable automatic reflection NAT

    1. Go to the SystemAdvancedFirewall & NAT menu.
    2. Enable the Enable automatic outbound NAT for Reflection option.
    3. Save the configuration by clicking the Save button.

  2. Prevent filtering of queries originating from your internal domain's DNS server

    1. Go to the FirewallNAT menu and stay on the Port Forwarding tab.
    2. Click the Add button.
    3. Fill in the details:

      Interface: LAN

      • Protocol      : TCP/UDP

      • Click the Display Advanced button in the Source section.

      • Source - Type:       Address or alias

      • Source - Address      : internal domain DNS server IP (AD)

      • Destination - Type      : Any

      • Destination port range - From port      : DNS

      • Destination port range - To port      : DNS

      • Redirect target IP - Type      : Address or Alias

      • Redirect target IP - Address      8.8.8.8

      • Redirect target port - Port      : DNS

    4. Save the configuration by clicking the Save button and confirm by clicking Apply Changes.

  3. Configure conditional DNS forwarding based on the internal domain in the pfSense® DNS service

    1. Go to the ServicesDNS Forwarder menu.
    2. Further down the page, in the Domain overrides section, click the Add button.
    3. Fill in the details:

      • Domain: your internal network domain

      • IP Address: IP address of the internal domain DNS server (AD)

    4. Save the configuration by clicking the Save button.

  4. Create the list of exceptions (devices exempt from filtering)

    1. Go to the FirewallAliases menu
    2. Click on Add
    3. Fill in the details:

      • Name = unfiltered_devices or whatever name you prefer

      • Type = Host(s)

      • IP = IP of a device that will not have controlled DNS traffic

      • To add more IP addresses, click the Add Hosts button below.
    4. Save the configuration by clicking the Save button and confirm by clicking Apply Changes.

  1. Create the NAT rule to prevent DNS filtering of exempt devices

    1. Go to the FirewallNAT menu and stay on the Port Forwarding tab.
    2. Click the Add button.
    3. Fill in the details:

      • Interface: LAN

      • Protocol: TCP/UDP

      • Click the Display Advanced button in the Source section.

      • Source - Type: Address or Alias

      • Source - Address: unfiltered_devices

      • Destination - Type: This firewall (Self)

      Destination port range - From port: DNS

      Destination port range - To port: DNS

      Redirect target IP - Type: Address or Alias

      Redirect target IP - Address: internal domain DNS server IP (AD)

      Redirect target port - Port: DNS

    4. Save the configuration by clicking the Save button and confirm by clicking Apply Changes.

That's it! Setup complete.

Without Internal DNS Server

  1. Create the list of exceptions (devices exempt from filtering)

    1. Go to the FirewallAliases menu
    2. Click on Add
    3. Fill in the details:

      • Name = unfiltered_devices or whatever name you prefer

      • Type = Host(s)

      • IP = IP of a device that will not have controlled DNS traffic

      • To add more IP addresses, click the Add Hosts button below.
    4. Save the configuration by clicking the Save button and confirm by clicking Apply Changes.

  2. Create the NAT rule to prevent DNS filtering of exempt devices

    1. Go to the FirewallAliases menu
    2. Click on Add
    3. Fill in the details:

      • Interface: LAN

      • Protocol: TCP/UDP

      • Click the Display Advanced button in the Source section.

      • Source - Type: Address or Alias

      • Source - Address: unfiltered_devices

      • Destination - Type: Any

      • Destination port range - From port      : DNS

      • Destination port range - To port: DNS

      Redirect target IP - Type: Address or Alias

      • Redirect target IP - Address: 8.8.8.8

      • Redirect target port - Port: DNS
    4. Save the configuration by clicking the Save button and confirm by clicking Apply Changes.

That's it! Setup complete.