seeking advice on using "Enable automatic outbound NAT for Reflection"
-
I want to redirect all requests from any local device seeking Google DNS (8.8.8.8 & 8.8.4.4) to my local BIND servers 192.168.1.70 and 192.168.1.74).
I gather I need to enable "Enable automatic outbound NAT for Reflection"
I read it must be for a specific port. Would that be for port 53?
I am not sure where to set up the rule.
AND.. If I enable that I need to set up a rule, will I be potentially creating other problems? As all is working perfectly now, I don't want to introduce new problems.
Want to know why I want to do this? It is because Android says you can redirect DNS in WiFi... but it doesn't and I have proved it. It ignores local BIND records and uses public records.
-
@Ellis-Michael-Lieberman Not sure about outbound NAT, I wouldn’t think that is needed?
Sounds to like you want this but with a LAN IP instead of localhost:
https://docs.netgate.com/pfsense/en/latest/recipes/dns-redirect.htmlYou should be able to set up two rules, with 8.8.8.8 & 8.8.4.4 as destinations. Though that would not redirect other DNS servers…you could add the example rule as a third rule.
Many browsers use DNS over HTTPS and skirt local DNS servers. That’s another level:
https://jpgpi250.github.io/piholemanual/doc/Block%20DOH%20with%20pfsense.pdf -
Hi @SteveITS,
The problem is related to my ability to access my local mail server on my LAN from my Android phones. The phones all are manually numbered between 192.168.1.20 through 192.168.1.29. Their DNS is manually numbered to the local BIND servers, but that part isn't working.
Because of that, I do not think the example you recommend will work.
When the cellphones are on the WiFi, Mail apps can't "find" the local mail server, even though when using the Cell App IP Tools and talking to the local DNS the phone can see what the BIND server has --- it's all there.
I guess it is possible that though I am NOT using http in the mail app, the Android might be avoiding the local dns via HTTP, but my best guess is that they are simply sending name server traffic to their servers for tracking purposes. My wired PCs can resolve the local server without a problem, so it's not the BIND servers.
Anyway, So this rule is only for the cellphones.
I have snapshots of the funky Android behavior but I have not linked them here.
-
@Ellis-Michael-Lieberman You could try blocking outbound port 53 (tcp/udp) and maybe 853 for everything except your DNS servers, and see if that helps.
If the phones are already set to use only local DNS then there may be a different issue at play or maybe the app is using DoH and bypassing the configured DNS servers.
-
@SteveITS
Thanks for the suggestion. I know you can't know all I have done to isolate the problem. I have literally been dealing with this over five years four separate Android devices, four versions of Android OS, and seven email apps.As it is over all of them AND the problem is ONLY on Android, I do not want to redirect anything except Android. I also need to not block, but rather redirect the requests from the phones to the local DNS. They are clearly getting their name-service from a public server. I sincerely doubt all the apps are using something such as
I do NOT want to limit what other devices can do as I use public ports for testing.
Android has a setting for DoH called Private DNS via cell service, but it uses third party services, not local ones and mine is set to OFF, so DoH should not be functioning in any case.
So the issue is, how to do this...
Phone (WiFi) --> call to public DNS --> redirected to local BIND --> PhoneIsn't that " automatic outbound NAT for Reflection"?
-
@Ellis-Michael-Lieberman honestly, I don’t understand the “for Reflection” part, are you seeing that written somewhere? I may just be unaware. Outbound NAT is for translating to a specific IP for another network. Reflection is making port forwards on another interface work from inside the network/router.
The ideas above assume you know the IPs of the phones…DHCP reservation etc. A NAT forward can have an alias with specific IPs as Source. IPv6 is harder to use like that because most apps use temporary addresses and a device can have many.
I’m pretty sure the recipe above will do what you want, but I’ve never had to use it.
-
@Ellis-Michael-Lieberman StevelTS is right. From what you have said in your first post, this is what you want.
About your email server problems we don't know anything.
-
-
@Ellis-Michael-Lieberman your image has the rule disabled but aside from that:
It applies to source “not cell phones”. That includes the pfSense LAN IP which the recipe said to exclude. I think you want “only cell phones”? So uncheck the invert box.
Reflection at the bottom is set to system default not disabled.
When the phones connect out you can use Diagnostics/States to view their outbound connections by IP.
-
Yes, OK, I got it. It is no longer blocking everything else so the rule works, but the issue with my Android, eludes me.
Thanks for the very patient help.
