Windows Server DNS Server can't forward to pfSense

netblues

@Hekmil said in Windows Server DNS Server can't forward to pfSense:

I'm strill not getting why I can't resolve from a LAN interface

What do you mean ? dig says you can.

Hekmil

@netblues yes dig says I can, but if I nslookup again from my lan IP I can't. Still getting the SERVFAIL.

netblues

@Hekmil server fail means can't get response from upstream.
This is expected

Enable dns resolver forwading to your dns gateway and it will also work

Hekmil

@netblues DNS Resolver Forwarding mode is enabled

netblues

@Hekmil and what do you have in system\general\dns ?

Hekmil

@netblues My NAT Gateway as DNS Server

The 2 boxes are checked. I've try to uncheck them to randomly test something but as expected nothing different

netblues

@Hekmil dig @yournasip cnn.com
what happens?

Hekmil

@netblues With NAT ip address everything is fine, just switching to LAN ip won't make it

; <<>> DiG 9.14.12 <<>> @192.168.101.2 cnn.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63875
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; MBZ: 0x0005, udp: 4096
;; QUESTION SECTION:
;cnn.com.			IN	A

;; ANSWER SECTION:
cnn.com.		5	IN	A	151.101.129.67
cnn.com.		5	IN	A	151.101.65.67
cnn.com.		5	IN	A	151.101.193.67
cnn.com.		5	IN	A	151.101.1.67

;; AUTHORITY SECTION:
cnn.com.		5	IN	NS	ns-1086.awsdns-07.org.
cnn.com.		5	IN	NS	ns-1630.awsdns-11.co.uk.
cnn.com.		5	IN	NS	ns-47.awsdns-05.com.
cnn.com.		5	IN	NS	ns-576.awsdns-08.net.

;; Query time: 11 msec
;; SERVER: 192.168.101.2#53(192.168.101.2)
;; WHEN: Thu Jul 23 14:42:25 CEST 2020
;; MSG SIZE  rcvd: 236

netblues

@Hekmil But you get server failed, not no servers can be reached, right?

ping -S 172.16.1.2 192.168.101.2 works?

Hekmil

@netblues Yes I get Server can't find cnn.com : SERVFAIL

No it doesn't ping, that might be a route issue no ?

netblues

@Hekmil Do you have outbound nat enabled on your wan interface?

Hekmil

@netblues Oh my god...

The Outbound NAT configuration was set to automatic (which should have been enought right ?). So I tried to switch to manual and create a map ANY/ANY on WAN and everything works !

netblues

@Hekmil Your configuration is not exactly typical and "automatic" things sometimes fail.
From a technical point of view, pf being a router, you shouldn't need nat to reach an rfc1918 address.
I suspect that packets reach your nas gateway, but never return.

Most probably your nas gateway needs a route back for 172.16.1.0/24 pointing to your pfwan interface ip.
Natting, (double) just makes the call originate from the wan interface.
And connected networks don't need routes.

Hekmil

@netblues Yes I also think it reachs the nat gateway considering the logs but never returning.

I don't know how and where to set a route for my nat gateway though

netblues

@Hekmil Maybe you can't. You have to figure this out
In the mean time, stay with double nat.
For simple internet connectivity and dns resolution it won't make any difference.

Hekmil

@netblues I'm pretty I can't yes, so far the only thing I could change about the NAT configuration was the network IP and Gateway.

Yeah it'll do juste fine. Thanks anyway !