Pfsense - Force All Computers to Pfsense's DNS Except for a Few IPs?

I would love to figure out how to force all computers on my network to use Pfsense’s DNS except for a few IPs.

So, far, I have setup a firewall rule to allow DNS queries to the Pfsense box. Then, below that rule, I have a rule that blocks all other DNS queries. Then, I have a NAT port forward that redirects those DNS queries that weren’t pointed to the Pfsense box to the Pfsense box so they have to use the DNS server of the Pfsense box. That all works. However, I cannot figure out how to make exceptions. I have tried putting firewall rules for the exceptions above the firewall block rule, but I haven’t been able to get it to work.

Any help would be GREATLY appreciated.

Thank you!

You can use aliases for this. Define an alias for the IPs you want to whitelist. Then in the NAT and firewall rules, use that alias for the source address and invert it.

1 Like

I am guessing the exceptions are still being NAT’d so you would need to make sure they are excluded in your setup. You could create an identity NAT on top of your existing one that keeps the original source/destination IPs and ports the same for those devices.

1 Like

Thank you for the suggestions. I appreciate it!

For some reason, I can’t get the Firewall -> NAT -> Port Forward rules to allow me to set the source as a “Single host or alias”. It will let me set it to “Single host or alias”, but then it won’t let me define what that is in the box to the right. I can do it just fine in the Firewall rules section, but not in the NAT port forwarding section for some reason. Any ideas?

This seems to work on mine. You have to do this in NAT or it won’t work.


I use firewall rules to block certain devices (especially Chromecasts) from automatically using Google DNS and forcing them to use my Pi-hole server for DNS. In your case, however, have you tried just assigning the devices in question their DNS server(s) using static DHCP mappings?

O.K. I FINALLY got it working. It seems my problem was that Safari in Mac OS wouldn’t allow me to edit the “Address/mask” field like FredFerrell is showing highlighted above. So, I had to move over to an old version of Chrome to be able to do it from my Raspberry Pi (I couldn’t do it from current versions of Brave or Chrome due to a “NET::ERR_CERT_REVOKED” error that I kept getting. I never did find away around that other than going to the RPi). I also set up an alias of excepted IPs and inverted them as suggested by paolo above. I had some learning to do on both the inversion & aliases, but once I understood them, that is TOTALLY the way to go! :slight_smile:

Thank you all so much! I REALLY appreciate the help!


Open the site in Safari. Enable the option to view the certificate, then drag the certificate to your desktop. Open Keychain Access, then drag the certificate into System and choose to allow it. After that, the REVOKED message should go away (if not immediately, try rebooting).

Thank you! I updated the box & re-issued the self-signed cert, and that finally fixed it.