Pfsens VLAN and pfBlockerng issue


I have a LAN and two VLANS (IOT_VLAN and TENANT_VLAN)

My LAN is fine, but my 2 VLANS cannot access the net. I am sure it is a DNS issue.

I have blocked each VLAN from access my local LAN and unfortunately this also prevents them access to DNS.

If i enter as the DNS in DHCP for the VLAN’s, internet works but pfblockerng, doesnt.

How do I get both DNS and pfblockerng to work on the VLANS.

LAN Rule
IoT Rules


What do you have set under DNS Resolver, Services → DNS Resolver → General Settings? For Network Interfaces do you have it set to all or specific interfaces? If specific interfaces, make sure you select IOT_VLAN and TENANT_VLAN.

Create an allow rule for DNS above the block rule on that subnet.

Thanks for the reply

Both inbound and outbound set to ALL

Okay, since I don’t have access to your rules links (Pic would be helpful). Also make sure you have what Tom mentioned which is a DNS rule.

In the LAN rules or IoT_VLAN?

Also remove this

It is not necessary if you have the DNS Forwarder or DNS Resolver enabled. See documentation for DNS Services — DHCPv4 Server | pfSense Documentation

As a newby i can only upload minimal pics and link.

Let me know what pics you would like to see and i will upload to Google Drive and post a link to that folder.

Also, i am more than happy to give you access to my firewall via Anydesk - but im not sure if that falls out of scope of “free” forum help.

I have, just added it to test, but it is removed.

You should get a request from Google as I requested access to the links you provided.

1 Like

You have a block rule that blocks IOT_VLAN to This Firewall. You are effectively blocking everything on IOT_VLAN to any address including the WAN. Change that to LAN net. Also, your allow DNS rule should work but I’m not sure. My DNS is configured a little differently than yours. As I set it to the Interface of the network, i.e. IOT_VLAN address.

Thanks so much.

My DNS entry - which I think I got from one of Lawrence’s videos is to force users to only use the PF DNS, even if they put a manual entry in their LAN settings on their device or PC

That would be correct, I have that as well. You have a rule to only allow DNS from the pfSense FW and then a block rule to block DNS anywhere else. I also just noticed for your protocols you have UDP for the allow rule and TCP for the block. Set both rules to TCP/UDP since DNS always uses TCP and UDP.

You also have the allow DNS set to LAN Net it needs to be LAN Address and your Source should be LAN Net. Which again I believe will work but since I have a different configuration. Someone will have to correct me on that. But regardless it needs to be LAN Address or IOT_VLAN Address for your Destination and LAN Net or IOT_VLAN Net for your Source for your Allow DNS.

Will the changes you mentioned also ensure pfblockerng works on the VLANS?

Cool, will make the changes and let you know.


I have gone through Tom’s video on pfBlocker but I have not played around with it. So I can not answer that question truthfully. But that said, the changes should allow you to get to the Internet. And so I think it would also ensure pfBlockerNG should work. But again, I don’t have enough experience to answer that question.

1 Like

Cool, Ive made the changes as suggested and the force DNS works as well as pfblockerng across all networks

Thanks for your help

1 Like

Awesome, glad to hear it works!