No internet without a "DNS allow rule" | Why?

I just watched @LTS_Tom video on firewall rules at home.

I had much more rules than shown in the video so I disabled a few of them and if I don’t have a specific rule to allow DNS, my devices just lose access to the internet. In the video, Tom does not have any such rule so it must be “implicitly allowed” elsewhere…

Must be something misconfigured…

Any ideas ?

This is one of my few annoyances with pfSense. You do need a rule to allow anything you want to allow, except DHCP. The firewall drops by default but DHCP puts in a rule that you cant see in firewall > rules when you enable it on an interface. This is confusing. Why can I view things like the anti-lockout rule but not the DHCP rule? I believe Tom has an “allow all” rule on his LAN, don’t recall the other VLANs. If you open status.php and look under the firewall-generated ruleset you can see everything it’s really doing.


I rewatched this: 2020 Getting started with pfsense 2.4 Tutorial: Network Setup, VLANs, Features & Packages - YouTube

He can ping without any specific rule. I don’t see what is missing.

It’s been a while since I did a clean install, but, I believe when you complete a basic configuration, you can access the internet from the LAN without any rules.

The LAN can, but none of the VLANs. In the tutorial, he created a VLAN and it still had access to the internet without an allow rule.

Can you reference a specific time in the video? I see at about min 47 that he has a rule to block TCP port 10443 on the firewall so the admin interface cannot be accessed on the network ANOTHERLANFORGUEST. Then there is an inverse rule that references an alias. That rule says all traffic not going to the alias, which I believe just has the LAN subnet in it, is allowed. The LAN has an allow all rule. To think about this another way, the ANOTHERLANFORGUEST network can get to anywhere but the LAN and the admin TCP port. Port 53 on the ANOTHERLANFORGUEST is included in that list of places allowed. Make sense? Inverse rules are nice for blocking a bunch of access at once.

1 Like

We see the simple rules for VLANforGuest
Only admin access to pfSense is blocked (so ping and DNS are still allowed).

He pings Google with success

Without the Allow DNS, no ping to google or any internet for that matter.

1 Like

At your link the screenshot is this with an allow all. Everything IPv4 is allowed everywhere.

At the 47 min time I referenced this screenshot shows an allow all except the alias (which is the LAN). See the exclamation point before the alias? Everything is allowed except getting to the LAN.

Your picture shows all TCP/UDP with a source address on the IOT net is allowed to access the IOT interface port 53. I like to use the actual IP address of the interface but that should work fine. Your picture also has an allow all rule at the end that is mislabeled “allow internet access” when in fact it allows all access to whatever makes it that far down. It looks to me like on you interface you can get to DNS, a couple of IPs and the internet.

The rule to allow the “source = IOT net” is not active on the picture and this is why I can’t access the internet because no device have DNS resolution. If I activate this rule it works.

I found a workaround:
Tom creates an alias for his privte networks
In this segment, he specifically lists the existing nerworks. While what I did was to create an aliase that encompasses all RFC1918 addresses, that seems to block access to the router DNS service.

But Tom does include “” in the “My_Pivate_IPs” alias, under which is his pfSense at".

If I disable the “Block RFC1918” rule, then DNS is resolved.

I am baffled… :crazy_face:

So I narrowed the scope of the “Private Network Alias” and all is working well.

You can see at minute 41 that this is his LAN address. So ANOTHERLANFORGUEST ( can access everything EXCEPT the LAN ( via the fancy “invert match” rule with the alias, and the admin interface. Anyway, glad you figured it out.

I usually start my guest and IoT networks with a ruleset about like this where the main difference is that the guest network has layer 2 isolation turned on in Unifi.

Local subnet alias.


1 Like