Possible Bug in SRCNAT in LAN

tacioandrade

Max please share with us how he managed to make this rule work …. I installed pfsense 2.3.2 virtual machine 0 and tried just the rule and was not. I would like to share with Nosco the entire procedure? Thank you in advance any help you can give, since I already have one week breaking head with it.

Derelict

What is your LAN subnet?

IoDa

Since it is a problem regarding all our secondary site, i pick one as example.
LAN subnet: 192.168.101.0/24
pfSense: 192.168.101.1
Every DNS request must be redirect to pfSense itself.
I hope give you the information needed.
Thanks.

kpa

@IoDa:

Since it is a problem regarding all our secondary site, i pick one as example.
LAN subnet: 192.168.101.0/24
pfSense: 192.168.101.1
Every DNS request must be redirect to pfSense itself.
I hope give you the information needed.
Thanks.

What you describe is NOT the same scenario as in the first post of this thread. You are trying to redirect to the pfSense itself and the person in the first post is trying to redirect back to an internal host which is a very different and more complicated scenario.

IoDa

Sorry, I'm not the person who write the post.
I only have the same problem.
I've write the first reply.
I've only answered to Derelict.

kpa

I'm just trying to tell you that you have a different problem because a simple redirect to a pfSense internal address such as the one you're trying to do is bread and butter for pfSense. The redirect in the first post is different because a redirection if PF can not return via the same interface the connection came in without some special tricks.

IoDa

Sorry if I've messed up the thread, I thought the problem was similar to mine.
And the redirect to pfSense was "bread and butter", as you said, with 2.2.6 version.
After upgrade to release 2.3.X it doesn't work anymore.
I don't know if anything has changed, and thereb are some correction to do.
I've followed the how to: https://doc.pfsense.org/index.php/Redirecting_all_DNS_Requests_to_pfSense.
It worked.
Can you suggest me any check to do, to have a working DNS redirect as before release 2.3.X?
Thanks again.

tacioandrade

In my case the redirect must be to another IP on the same LAN Network because I have an internal application which users attempt to access and need to have it redirected not to own pfSense but to an internal web server.

However if you can help his friend, at least for now in DNS queries I think it certainly can cure 50% of my problems temporarily.

Derelict

Your port forward is not translating the source address, it is translating the destination address, as that is what port forwards do.

You also need an outbound NAT rule on LAN translating from source LAN net dest DNS host port 53 NAT address LAN address.

You need to make the DNS server send queries back through the state and ping pong them back out LAN. That is done by translating the source address to pfSense LAN address.

You are essentially doing NAT reflection for destination any instead of WAN address.

Client 192.168.10.100 sends a DNS query to 8.8.8.8
LAN receives and port forward translates destination address to 192.168.10.254
As of now the DNS server at 192.168.10.254 will receive the request from 192.168.10.100.
The reply will not go back to the firewall, but will be sent directly on the subnet creating a triangle. This might or might not work depending on local firewalls, etc. Client will be expecting answer from 8.8.8.8 not 192.168.10.254.

Instead you do this:
Client 192.168.10.100 sends a DNS query to 8.8.8.8
LAN receives and port forward translates destination address to 192.168.10.254
On the way out LAN outbound NAT translates the source address from 192.168.10.100 to pfSense LAN address
DNS Server receives from LAN address and replies to LAN address
Source and destination address are translated back and packet appears to arrive at the client sourced from 8.8.8.8 as expected.

tacioandrade

They are already told me to create a rule for testing Outbound installed on Virtual Box 2.3.2 pfSense, changed the type of NAT Outbound to hybrid as sent to and add the following rule as the first and then moved to the last, however did not work.

PS: Not appear in the image, however the Port Translation = 53 and PLACA2-FIBRA = WAN

Derelict

No. You need outbound NAT on LAN translating the source address of the DNS requests that are being forwarded to the local DNS server. The source address needs to be translated to LAN address.

Look at what I wrote above again.

tacioandrade

@Derelict:

No. You need outbound NAT on LAN translating the source address of the DNS requests that are being forwarded to the local DNS server. The source address needs to be translated to LAN address.

Look at what I wrote above again.

I tried that too, however when I change the board for LAN, requisitions using nslookup firewall.dominio.local 8.8.8.8 return timeouts.

Proofreading, he hits the 8.8.8.8, the error is when I create another rule, the Port Forward.

Derelict

I just did this on the VM bench. Everything worked exactly as expected.

DNS Server on 192.168.1.100
Client making queries to 8.8.8.8 from 192.168.1.101


tacioandrade

I have no idea then why does not work here ….
After adding 2 rules still giving time out. : '(

Derelict

What is the IP address of your client?

What is the IP address of your DNS server?

You seem to have switched from natting to .254 to natting to .1.

Port forwards translate the destination address.

Outbound NAT translates the source address.

You need to do both.