Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [SOLVED] DNS Forwarding behind (S)NATed network

    Scheduled Pinned Locked Moved NAT
    5 Posts 2 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      Nono_
      last edited by Nono_

      SOLUTION:

      The solution was to create a dedicated NAT Outbound rules like so :
Interface: WAN
Protocol: UDP
Source: This firewall (self)
Destination: Any (port 53)
Translation address: 45.0.0.1

      Original Post:

      My PFsense is behind a NAT Network, so I have to use an SNAT IP which is my Public IP.
      So, currently my PFSense is setup like this :
      WAN interface : 100.0.0.10; GW : 100.0.0.9
      LAN interface : 192.168.1.0
      Virtual IP "Public IP" : 45.0.0.1

      DNS Servers: 1.1.1.1 & 9.9.9.9
      DNS Forwarder : enabled on ALL interfaces.

      NAT Outbound rules :
      Source: 127.0.0.1/8
      Destination: Any
      Translation IP : 45.0.0.1

      From a computer connected to the LAN (192.168.1.10), I can resolve using "nslookup netgate.com 1.1.1.1" but can NOT using "nslookup netgate.com"

      When I capture the packet from the PFSense (filter on port 53) I can only see my WAN IP (100.0.0.10) trying to reach either 1.1.1.1 or 9.9.9.9 but no answer.
      I tried to create all sort of NAT Port Forwarding rules but didn't found any solution

      I don't know what I'm missing, could maybe someone help me to figure out ?
      I've tested the "ping" and "DNS lookup" none of them can resolve any domain so I guess my pfsense can not get any DNS answer from the DNS Servers setup ?

      1 Reply Last reply Reply Quote 0
      • GrimetonG
        Grimeton
        last edited by

        Src Nating from a loopback interface requires to be enabled. Also you should run a DNS resolver like unbound. You can set the outgoing interface there, e.g. the WAN interface and then run a source NAT roule on that wan interface for all requests coming from any/any going to any/udp/53.

        Problem solved.

        1 Reply Last reply Reply Quote 0
        • N
          Nono_
          last edited by

          Hi @Grimeton,
          Thanks for the answer but I'm not sure to follow.
          As stated, the external connection works and I didn't had to enable anything on the loopback interface ? Could you please precise where may I found this option ?

          Also, regarding DNS, the idea would be to use an external DNS Server (likely 1.1.1.1 or 9.9.9.9) on the pfsense, and use those together with the DNS Forward on all my LAN devices. Why should I use a DNS resolver ? As far as I know, you can't have DNS Resolver together with DNS Forwarder ?

          Fianlly, for a NAT rules, I don't seems to be able to use any/any especially for the redirection as a target IP need to be entered.

          Would you mind explain me a bit more in details your idea ?

          N GrimetonG 2 Replies Last reply Reply Quote 0
          • N
            Nono_ @Nono_
            last edited by

            Finally, I've solve the issue by creating a specific outbound rule for the DNS requests (see top post edited)

            1 Reply Last reply Reply Quote 0
            • GrimetonG
              Grimeton @Nono_
              last edited by

              @Nono_ A DNS-Forwarder is nothing else than a stripped down resolver. The only difference is that unbound can do more than just resolve. Besides that even dnsmasq can hold host entries nowadays, but anyway...

              When you tell a program to use 127.0.0.1 as its source address then the packet filters aren't applied to 127.0.0.1. There's a sysctl variable that needs to be set in order to enable this behaviour.

              That's all.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.