Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Odd DNS Issues with Bridged Interface

    Scheduled Pinned Locked Moved Firewalling
    4 Posts 3 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Y Offline
      youngmug
      last edited by

      I did some basic searching, but don't see anything similar to my current troubles.

      I'm working on replacing a Watchguard Firebox with pfSense (the Watchguard VPN capability is rather bad, and the configuration tool is Windows-only for 2000 - XP only due to not paying the yearly maintenance fee). Only one thing seems to be holding up my deployment, and it's rather tricky.

      To start, I have pfSense on an old PIII desktop with one Intel Pro/100 card for WAN (integrated on the motherboard) and two 3Com 3c905 cards for LAN and Opt1. My IP range is a static /25 block. The router is using .1 on the network, so I assigned pfSense as .2. Opt1 is bridged with the WAN interface as the servers on this segment are using public IPs. LAN is using NAT.

      I have rules working so that I can access port 80 (http) on a few servers off Opt1 and that's working fine. I also can access the same servers from LAN, which is fine as well. The trouble is DNS.

      I have a caching DNS server on Opt1. It acts as a local resolver for the LAN segment and also has a few TLDs that we use internally for various services. I can query the server for the TLDs it resolves directly from the LAN and even outside our network when I add the correct rule. The trouble comes from when it tries to make DNS queries externally. I had specifically set up an allow rule for TCP/UDP port 53 (DNS) with logging enabled for diagnostic purposes. At the server console, I ran the dig tool to find the A record of mozilla.org and specifically directed it to 4.2.2.4 (a public resolving server ran by Level3). The firewall logs show that the pass rule was used, however I get nothing back. Dig simply says that the server timed out.

      What needs to be changed to have this function?

      1 Reply Last reply Reply Quote 0
      • GruensFroeschliG Offline
        GruensFroeschli
        last edited by

        Where did you create this allow rule?
        On the WAN or on the OPT side?
        Could you show a screenshot of this/these rule/s?

        We do what we must, because we can.

        Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

        1 Reply Last reply Reply Quote 0
        • jimpJ Offline
          jimp Rebel Alliance Developer Netgate
          last edited by

          Also it might help to know if you created any NAT port forwards for DNS and if so, did you also enable NAT reflection?

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • Y Offline
            youngmug
            last edited by

            I actually figured out the problem.

            When I bridged the interface, I also added an entry in the gateway field. Once I read the description a few times this morning, I figured out that it should have been blank. Sure enough, blanking that field fixed my problems.

            Now I'm on to re-creating all the old rules then seeing it I can't use the old Firebox and get rid of the bulky 300PL I'm currently using.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.