pfSense and NAS port opening
-
@airone-0 Port forwarding needs reflection enabled on the rule, or better yet split DNS via a host override to point to the LAN IP.
-
johnpoz LAYER 8 Global Moderatorlast edited by johnpoz Apr 28, 2023, 12:58 PM Apr 28, 2023, 12:57 PM
@airone-0 said in pfSense and NAS port opening:
even if I enter the WAN IP instead of the DNS
Yeah that would fail unless you setup nat reflection, but as SteveITS mentions split dns is better solution normally.
So something.ddns.tld out on the internet resolves to public 1.2.3.4, but internally when your devices are asking your local dns then something.ddns.tld should resolve to say 192.168.1.100 (the local IP of your nas).. This is accomplished with a simple host override.
If your devices are not using your local dns, then yeah nat reflection would be needed to be setup.
-
To tell the truth yesterday I had tried, but having had no result I had deleted it. I've re-entered it now, set the dns and local ip address of the NAS, but nothing has changed.
It's possible that being a beginner with these issues I'm doing something wrong. Anyway, thank you for the support you are giving me.
-
@airone-0 so make sure your client is actually using pfsense as its dns, that its not pointing else where, or if app or browser sort of app make sure its not using doh
Also validate that your host override is working, use your fav dns tool, host, nslookup, dig and do a query for that fqdn does it return the IP you put in for the override.
-
The IP I entered in the override is the local one of the NAS, the DNS entered in the override (host name + host domain) is currently resolved with the same IP reported for the WAN on the dashboard. The PC I'm using now is connected to the Netgate LAN (192.168.0.x) and via local addresses it also see the NAS and its servers, while the NAS is connected to LAN2 (172.18.0.x). If I disconnect the local network from this PC and connect it to an external network (via mobile wifi), the App on the PC immediately connects to the NAS server. I hope I have explained the situation clearly.
-
@airone-0 said in pfSense and NAS port opening:
currently resolved with the same IP reported for the WAN
So then your PC is either not using pfSense for DNS, or your PC is caching the answer (Windows: ipconfig /flushdns) or the override is not configured correctly.
Run "nslookup hostname ip-of-pfsense" and see what it answers.
Screenshot of the override?
You may also need a firewall rule allowing from LAN to the NAS_IP:port although by default all traffic is allowed on LAN.
-
@steveits said in pfSense and NAS port opening:
Screenshot of the override?
@steveits said in pfSense and NAS port opening:
Run "nslookup hostname ip-of-pfsense" and see what it answers.
PS C:> nslookup hostname xx.yy.zz.218 Server: host-xx-yy-zz-218.retail.telekom.it Address: xx.yy.zz.218 *** host-xx-yy-zz-218.retail.telekomi.it non รจ in grado di trovare hostname: Non-existent domain PS C:>Well, now what? Why "Non-existent domain"?
-
@airone-0 Sorry, I meant to use your hostname and the LAN IP of pfSense. So
nslookup yours.synology.me 192.168.0.1
that will show you what pfSense is providing for DNS.
-
@airone-0 said in pfSense and NAS port opening:
xx.yy.zz.218
That is IP address of pfsense.. You didn't even ask for the fqdn you put in which is something.synology.me
Here..
Where 192.168.9.253 is the IP address of my pfsense where unbound (resolver) where I put in the host override.
When you don't actually use the actual fqdn, host.doman.tld with nslookup it quite often will use a search suffix and ask for whatever domain your machine is in..
example see where I only ask for aaahost, but the question that gets asked to dns is with my local domain name attached.
set debug shows you the details of what is being asked, what is returned, etc.
you can also set where you ask other then your default NS.
-
Now I'm in total confusion, too much information.
Anyway...> myname.synology.me Server: host-xx-yy-zz-218.retail.telekom.it Address: xx.yy.zz.218 ------------ Got answer: HEADER: opcode = QUERY, id = 7, rcode = NXDOMAIN header flags: response, want recursion, recursion avail. questions = 1, answers = 0, authority records = 1, additional = 0 QUESTIONS: myname.synology.me.NetgateDomain, type = A, class = IN AUTHORITY RECORDS: -> (root) ttl = 2855 (47 mins 35 secs) primary name server = a.root-servers.net responsible mail addr = nstld.verisign-grs.com serial = 2023042800 refresh = 1800 (30 mins) retry = 900 (15 mins) expire = 604800 (7 days) default TTL = 86400 (1 day) ------------ ------------ Got answer: HEADER: opcode = QUERY, id = 8, rcode = NXDOMAIN header flags: response, want recursion, recursion avail. questions = 1, answers = 0, authority records = 1, additional = 0 QUESTIONS: myname.synology.me.NetgateDomain, type = AAAA, class = IN AUTHORITY RECORDS: -> (root) ttl = 2855 (47 mins 35 secs) primary name server = a.root-servers.net responsible mail addr = nstld.verisign-grs.com serial = 2023042800 refresh = 1800 (30 mins) retry = 900 (15 mins) expire = 604800 (7 days) default TTL = 86400 (1 day) ------------ ------------ Got answer: HEADER: opcode = QUERY, id = 9, rcode = NOERROR header flags: response, auth. answer, want recursion, recursion avail. questions = 1, answers = 1, authority records = 0, additional = 0 QUESTIONS: myname.synology.me, type = A, class = IN ANSWERS: -> myname.synology.me internet address = 172.18.0.10 ttl = 3600 (1 hour) ------------ ------------ Got answer: HEADER: opcode = QUERY, id = 10, rcode = NOERROR header flags: response, auth. answer, want recursion, recursion avail. questions = 1, answers = 0, authority records = 0, additional = 0 QUESTIONS: myname.synology.me, type = AAAA, class = IN ------------ Nome: myname.synology.me Address: 172.18.0.10 >It would appear that the binding set by Host Override between myname.synology.me and the internal IP of the NAS exists (last two lines). Big problem for me, how do we get out of this?
-
@airone-0 said in pfSense and NAS port opening:
Big problem for me, how do we get out of this?
out of what? That seems like working fine to me.. Windows loves to add suffix to queries - you could put a . on the end of your fqdn if you don't want to let windows add its search suffix domains.
Or you could setup windows NOT to ever do that..
-
@airone-0 said in pfSense and NAS port opening:
how do we get out of this?
From the screenshot it looks like you ran nslookup which opens its own command line. "Exit" or CTRL+C should get you out.
"Server: host-xx-yy-zz-218.retail.telekom.it
Address: xx.yy.zz.218"...that looks like you are not using pfSense LAN IP for your DNS? What is the .218 address?
-
@johnpoz said in pfSense and NAS port opening:
That seems like working fine to me..
We've gotten away from the problem: I can't contact the NAS from my PC if I use DNS myname.synology.me or xx.yy.zz.218 instead of the local IP of the NAS.
This is the situation:
NAS - 172.18.0.10
PC - 192.168.0.2
Dynamic IP from ISP (myname.synology.me) - xx.yy.zz.218- The IP I entered in the override is the local one of the NAS, the DNS entered in the override (host name + host domain) is currently resolved with the same IP reported for the WAN on the dashboard.
- The PC I'm using now is connected to the Netgate LAN (192.168.0.2). Using NAS local address (172.18.0.10) it also can connect the NAS and its servers. Using the external IP from ISP (xx.yy.zz.281 or dns myname.synology.me, the PC cannot contact the NAS.
- If I disconnect this PC from the local network and connect it to an external network (via mobile wifi), the PC immediately connects to the NAS server using the external IP from ISP (xx.yy.zz.281 or dns myname.synology.me.
That's all (folks).
-
@airone-0 said in pfSense and NAS port opening:
I can't contact the NAS from my PC if I use DNS myname.synology.me or xx.yy.zz.218 instead of the local IP
Right which would typically mean it's either a DNS problem or a NAT reflection problem. Figuring out to what myname.synology.me resolves will tell you.
If it's resolving to 172.18.0.10 then there is no reason within pfSense why it won't work using myname.synology.me if it works using 172.18.0.10, since that is the same as far as pfSense knows. Is that hostname properly configured on the NAS?
-
@steveits said in pfSense and NAS port opening:
Is that hostname properly configured on the NAS?
There doesn't appear to be a Hostname to set, perhaps a Server Name.
-
I have tried deleting all DNS servers from DHCP servers settings and from System / General Setup. Then from
Diagnostics / Command Prompt I rannslookup myname.synology.meand I received as an answer
Servers: 127.0.0.1 Address: 127.0.0.1#53 Name: myname.synology.me Address: 172.18.0.10Same thing done by the PC client with this answer:
Server: UnKnown Address: 192.168.0.1 Name: rmyname.synology.me Address: 172.18.0.10Now the App on the PC is connected, but if I had to tell you why it's working now, I couldn't explain it.
Do you have an answer? -
@airone-0 said in pfSense and NAS port opening:
Do you have an answer?
We already went over that answer - if your not asking the dns where you setup the override, then no your override wouldn't work..
If I ask billy for john's phone number, and billy doesn't even know a john how would he know john's phone number..
Not sure what your pc is asking, 192.168.0.1 - is that pfsense?? If so then it should resolve the PTR for the server name, and not come back unknown..
As to that first example - that is just asking itself, ie lookback 127.0.0.1, where it actually gets forwarded you would have to check on wherever system that was - your nas?