Possible Bug in SRCNAT in LAN



  • Hello everyone, I am pfsense user since version 2.0 and always made use of SRCNAT rule to redirect all external DNS traffic to my internal DNS server. However after upgrading from 2.2.6 to 2.3.2 the rule stopped working, when I create the same, any external DNS query falls instantly instead of being redirected to my internal DNS server.

    I set up a laboratory without importing any configuration files and the same problem occurred, even with only this rule of Port Forward.

    I asked a friend who has the same kind of rule enabled to take the test with a backup VM production and the same happened to him, the rule stopped working.

    If anyone knows how I can inform the pfSense development team to solve this problem thank a lot because I have to do the version downgrade because of this problem.



  • Hi,
    I've the same problme, and I've opened a thread about it (maybe in the wrong part of the forum, sorry).
    I can confirm this behaviour; I use this rule to redirect DNS request to server DNS different from the internal one, to the forwarder on pfSense.
    Everything was ok with 2.2.6, with 2.3.1 client aren't able to resolve.
    I think this could be a bug.
    Bye.



  • Well, I opened a topic in pfSense the bug system on the subject and the return they gave me was this here:

    Reflection wouldn't come into play for a rule such as that. If the client and server are on the same subnet, you need hybrid or manual outbound NAT rules to mask the source. It's possible there is some other backend parsing difference but there are many, many people using rules exactly like that successfully on 2.3.x with proper outbound NAT.

    More likely, the config you had was incomplete on 2.2.x but was working by accident due to some other factor in your configuration. Post much more detail on a forum thread and someone can help you diagnose the underlying problem.

    Funny I tried to do all possible rules with the output Nat hybrid and no success …. Apparently I have to do the version downgrade and completely remove pfsense update button. =/



  • Downgrade is the only option, at the time, also for me.
    I've done some configuration tests, following the guide on the site.
    No success at all.
    It seems that we all have wrong configurations, on our pfSense boxes.
    I ask to other users if someone has been able to achieve the result of redirectong DNS request to pfSense with the version 2.3.1 and newer.
    Thanks in advance.
    Have a nice day, guys.



  • I have been using a port forward rule in NAT to redirect all DNS requests from LAN to a different IP and I can confirm that the redirect works in 2.3.2.



  • Hi, could you please share your configuration?
    I mean, the steps to configure the redirection.
    The configuration explained in the wiki worked well on 2.2.6, but I've replicated it on 2.3.1, and it doesn't work.
    Maybe I can also try to upgrade to 2.3.2, because I've worked only on 2.3.1.
    Thanks in advance for you help.



  • Max please share with us how he managed to make this rule work …. I installed pfsense 2.3.2 virtual machine 0 and tried just the rule and was not. I would like to share with Nosco the entire procedure? Thank you in advance any help you can give, since I already have one week breaking head with it.


  • LAYER 8 Netgate

    What is your LAN subnet?



  • Since it is a problem regarding all our secondary site, i pick one as example.
    LAN subnet: 192.168.101.0/24
    pfSense: 192.168.101.1
    Every DNS request must be redirect to pfSense itself.
    I hope give you the information needed.
    Thanks.



  • @IoDa:

    Since it is a problem regarding all our secondary site, i pick one as example.
    LAN subnet: 192.168.101.0/24
    pfSense: 192.168.101.1
    Every DNS request must be redirect to pfSense itself.
    I hope give you the information needed.
    Thanks.

    What you describe is NOT the same scenario as in the first post of this thread. You are trying to redirect to the pfSense itself and the person in the first post is trying to redirect back to an internal host which is a very different and more complicated scenario.



  • Sorry, I'm not the person who write the post.
    I only have the same problem.
    I've write the first reply.
    I've only answered to Derelict.



  • I'm just trying to tell you that you have a different problem because a simple redirect to a pfSense internal address such as the one you're trying to do is bread and butter for pfSense. The redirect in the first post is different because a redirection if PF can not return via the same interface the connection came in without some special tricks.



  • Sorry if I've messed up the thread, I thought the problem was similar to mine.
    And the redirect to pfSense was "bread and butter", as you said, with 2.2.6 version.
    After upgrade to release 2.3.X it doesn't work anymore.
    I don't know if anything has changed, and thereb are some correction to do.
    I've followed the how to: https://doc.pfsense.org/index.php/Redirecting_all_DNS_Requests_to_pfSense.
    It worked.
    Can you suggest me any check to do, to have a working DNS redirect as before release 2.3.X?
    Thanks again.



  • In my case the redirect must be to another IP on the same LAN Network because I have an internal application which users attempt to access and need to have it redirected not to own pfSense but to an internal web server.

    However if you can help his friend, at least for now in DNS queries I think it certainly can cure 50% of my problems temporarily.


  • LAYER 8 Netgate

    Your port forward is not translating the source address, it is translating the destination address, as that is what port forwards do.

    You also need an outbound NAT rule on LAN translating from source LAN net dest DNS host port 53 NAT address LAN address.

    You need to make the DNS server send queries back through the state and ping pong them back out LAN. That is done by translating the source address to pfSense LAN address.

    You are essentially doing NAT reflection for destination any instead of WAN address.

    Client 192.168.10.100 sends a DNS query to 8.8.8.8
    LAN receives and port forward translates destination address to 192.168.10.254
    As of now the DNS server at 192.168.10.254 will receive the request from 192.168.10.100.
    The reply will not go back to the firewall, but will be sent directly on the subnet creating a triangle. This might or might not work depending on local firewalls, etc. Client will be expecting answer from 8.8.8.8 not 192.168.10.254.

    Instead you do this:
    Client 192.168.10.100 sends a DNS query to 8.8.8.8
    LAN receives and port forward translates destination address to 192.168.10.254
    On the way out LAN outbound NAT translates the source address from 192.168.10.100 to pfSense LAN address
    DNS Server receives from LAN address and replies to LAN address
    Source and destination address are translated back and packet appears to arrive at the client sourced from 8.8.8.8 as expected.



  • They are already told me to create a rule for testing Outbound installed on Virtual Box 2.3.2 pfSense, changed the type of NAT Outbound to hybrid as sent to and add the following rule as the first and then moved to the last, however did not work.

    PS: Not appear in the image, however the Port Translation = 53 and PLACA2-FIBRA = WAN



  • LAYER 8 Netgate

    No. You need outbound NAT on LAN translating the source address of the DNS requests that are being forwarded to the local DNS server. The source address needs to be translated to LAN address.

    Look at what I wrote above again.



  • @Derelict:

    No. You need outbound NAT on LAN translating the source address of the DNS requests that are being forwarded to the local DNS server. The source address needs to be translated to LAN address.

    Look at what I wrote above again.

    I tried that too, however when I change the board for LAN, requisitions using nslookup firewall.dominio.local 8.8.8.8 return timeouts.

    Proofreading, he hits the 8.8.8.8, the error is when I create another rule, the Port Forward.



  • LAYER 8 Netgate

    I just did this on the VM bench. Everything worked exactly as expected.

    DNS Server on 192.168.1.100
    Client making queries to 8.8.8.8 from 192.168.1.101

    ![Screen Shot 2016-08-06 at 4.38.27 PM.png](/public/imported_attachments/1/Screen Shot 2016-08-06 at 4.38.27 PM.png)
    ![Screen Shot 2016-08-06 at 4.38.27 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2016-08-06 at 4.38.27 PM.png_thumb)
    ![Screen Shot 2016-08-06 at 4.38.52 PM.png](/public/imported_attachments/1/Screen Shot 2016-08-06 at 4.38.52 PM.png)
    ![Screen Shot 2016-08-06 at 4.38.52 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2016-08-06 at 4.38.52 PM.png_thumb)
    ![Screen Shot 2016-08-06 at 4.48.21 PM.png](/public/imported_attachments/1/Screen Shot 2016-08-06 at 4.48.21 PM.png)
    ![Screen Shot 2016-08-06 at 4.48.21 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2016-08-06 at 4.48.21 PM.png_thumb)



  • I have no idea then why does not work here ….
    After adding 2 rules still giving time out. : '(







  • LAYER 8 Netgate

    What is the IP address of your client?

    What is the IP address of your DNS server?

    You seem to have switched from natting to .254 to natting to .1.

    Port forwards translate the destination address.

    Outbound NAT translates the source address.

    You need to do both.


Log in to reply