Possible Bug in SRCNAT in LAN
-
I'm just trying to tell you that you have a different problem because a simple redirect to a pfSense internal address such as the one you're trying to do is bread and butter for pfSense. The redirect in the first post is different because a redirection if PF can not return via the same interface the connection came in without some special tricks.
-
Sorry if I've messed up the thread, I thought the problem was similar to mine.
And the redirect to pfSense was "bread and butter", as you said, with 2.2.6 version.
After upgrade to release 2.3.X it doesn't work anymore.
I don't know if anything has changed, and thereb are some correction to do.
I've followed the how to: https://doc.pfsense.org/index.php/Redirecting_all_DNS_Requests_to_pfSense.
It worked.
Can you suggest me any check to do, to have a working DNS redirect as before release 2.3.X?
Thanks again. -
In my case the redirect must be to another IP on the same LAN Network because I have an internal application which users attempt to access and need to have it redirected not to own pfSense but to an internal web server.
However if you can help his friend, at least for now in DNS queries I think it certainly can cure 50% of my problems temporarily.
-
Your port forward is not translating the source address, it is translating the destination address, as that is what port forwards do.
You also need an outbound NAT rule on LAN translating from source LAN net dest DNS host port 53 NAT address LAN address.
You need to make the DNS server send queries back through the state and ping pong them back out LAN. That is done by translating the source address to pfSense LAN address.
You are essentially doing NAT reflection for destination any instead of WAN address.
Client 192.168.10.100 sends a DNS query to 8.8.8.8
LAN receives and port forward translates destination address to 192.168.10.254
As of now the DNS server at 192.168.10.254 will receive the request from 192.168.10.100.
The reply will not go back to the firewall, but will be sent directly on the subnet creating a triangle. This might or might not work depending on local firewalls, etc. Client will be expecting answer from 8.8.8.8 not 192.168.10.254.Instead you do this:
Client 192.168.10.100 sends a DNS query to 8.8.8.8
LAN receives and port forward translates destination address to 192.168.10.254
On the way out LAN outbound NAT translates the source address from 192.168.10.100 to pfSense LAN address
DNS Server receives from LAN address and replies to LAN address
Source and destination address are translated back and packet appears to arrive at the client sourced from 8.8.8.8 as expected. -
They are already told me to create a rule for testing Outbound installed on Virtual Box 2.3.2 pfSense, changed the type of NAT Outbound to hybrid as sent to and add the following rule as the first and then moved to the last, however did not work.
PS: Not appear in the image, however the Port Translation = 53 and PLACA2-FIBRA = WAN
-
No. You need outbound NAT on LAN translating the source address of the DNS requests that are being forwarded to the local DNS server. The source address needs to be translated to LAN address.
Look at what I wrote above again.
-
No. You need outbound NAT on LAN translating the source address of the DNS requests that are being forwarded to the local DNS server. The source address needs to be translated to LAN address.
Look at what I wrote above again.
I tried that too, however when I change the board for LAN, requisitions using nslookup firewall.dominio.local 8.8.8.8 return timeouts.
Proofreading, he hits the 8.8.8.8, the error is when I create another rule, the Port Forward.
-
I just did this on the VM bench. Everything worked exactly as expected.
DNS Server on 192.168.1.100
Client making queries to 8.8.8.8 from 192.168.1.101![Screen Shot 2016-08-06 at 4.38.27 PM.png](/public/imported_attachments/1/Screen Shot 2016-08-06 at 4.38.27 PM.png)
![Screen Shot 2016-08-06 at 4.38.27 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2016-08-06 at 4.38.27 PM.png_thumb)
![Screen Shot 2016-08-06 at 4.38.52 PM.png](/public/imported_attachments/1/Screen Shot 2016-08-06 at 4.38.52 PM.png)
![Screen Shot 2016-08-06 at 4.38.52 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2016-08-06 at 4.38.52 PM.png_thumb)
![Screen Shot 2016-08-06 at 4.48.21 PM.png](/public/imported_attachments/1/Screen Shot 2016-08-06 at 4.48.21 PM.png)
![Screen Shot 2016-08-06 at 4.48.21 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2016-08-06 at 4.48.21 PM.png_thumb) -
I have no idea then why does not work here ….
After adding 2 rules still giving time out. : '(
-
What is the IP address of your client?
What is the IP address of your DNS server?
You seem to have switched from natting to .254 to natting to .1.
Port forwards translate the destination address.
Outbound NAT translates the source address.
You need to do both.