Transparent Firewalling seems to block DNS Lookups internally



  • Greetings folks -
    After a really nice long google search I ended up here …
    I searched and searched the forums - but alas - think i might need to post this as a question ... as I have yet to find the solution.

    In short we have a number of ip's a client of ours is looking to setup PFSense as a transparent bridge/firewall for.

    Setup is as follows

    Incoming Ethernet Connection from Data Center
    |
    |
    |
    SWITCH
    |
    |
    |
    PF SENSE WAN  (IP 216.119.x.x)
    ~ ................................................................................................... external ip for management 24.182.x.x
    ~

    |
    |
    |
    SWITCH
    ~
    ~
    Their Systems  ~~~~~~~~~~
    running ip ranges
    216.119.x.x
    67.184.x.x
    65.194.x.x
    
    so here is the deal - we allowed all traffic for any protocol on LAN
    
    We then setup the WAN to allow
    
    TCP:  20,21,22,25,53,80,110,125,143,443,465,953,993,995,2077,2078,2082,2083,2086,2087,2095,2096,3306,55555,55553
    UDP: 20,21,53,113,123,873,953,6277,33434:33523
    
    Both TCP and UDP for port 53 are allowed - however clients internally are unable to resolve dns requests. (all but one)
    
    This is a transparent firewall - so not really sure what the deal is - just know its annoying
    
    Anyone have any ideas?


  • if you setup your pfsense as a DNS, and force the user to use this DNS (do this if you use transparent proxy), the user will  request :53 from LAN interfaces for DNS services.

    user == LAN ==> pfsense :53 == WAN ==>…

    So your settings for WAN may cause the problem. Replace by LAN settings



  • @typo3usa.com:

    We then setup the WAN to allow

    TCP:  20,21,22,25,53,80,110,125,143,443,465,953,993,995,2077,2078,2082,2083,2086,2087,2095,2096,3306,55555,55553
    UDP: 20,21,53,113,123,873,953,6277,33434:33523

    Both TCP and UDP for port 53 are allowed - however clients internally are unable to resolve dns requests. (all but one)

    What DNS servers are assigned to the clients?
    The ports open on the WAN tab are for incoming traffic on the WAN interface only. Users requesting DNS resolution use your "allow all" rule on the LAN tab.


Locked