Migration from FWbuilder to pfSense DNAT Help ?



  • I have been using Fwbuilder for a long time for my home network and would like to make the switch over to pfSense.

    I am hung up on pfSense various NAT toggle and switch pockets and how to accomplish the equivalent of iptables DNAT so that for example; The Split DNS server may identify the source (public) adress as opposed to internal non public) source address.

    This is my uber fancy asci network diagram to try and keep the discussion on track.

    WAN (Public Net)/29 <–> |pfSense Host| <--> DMZ (Private Net)/24
                                            |                  |                      SplitDNS Host TCP/UDP 53
                                            |                  |                      Apache  Host TCP 80,443...
                                            |                  |                      Mail    Host TCP 25,465,993...
                                            |                  |                      ...
                                            |                  | <--> LAN (Private Net)/24
                                                                                        Samba Host
                                                                                        ...

    The online book talks about Split DNS being ideal.  I always felt that way too :-).  So far I have not uncovered where I am going wrong.  External DNS queries resovlve to internal hosts.

    With this particularly common DMZ / Split DNS setup; where do I go to accomplish this?

    System/Advanced/Firewall & NAT?
      Interfaces/(WAN)?
      Firewall/NAT/PortForward?
      Firewall/NAT/Outbound?
      Firewall/Rules/WAN,DMZ,LAN?

    This is a working example of the Fwbuilder iptable rule for DNAT and the SplitDNS server.

    Primary DNS queries

    $IPTABLES -t nat -N Cid47A6A4EA11090.0
    $IPTABLES -t nat -A PREROUTING  -p tcp -m tcp  -d (Public IP)  --dport 53 -j Cid47A6A4EA11090.0 
    $IPTABLES -t nat -A PREROUTING  -p udp -m udp  -d (Public IP)  --dport 53 -j Cid47A6A4EA11090.0 
    $IPTABLES -t nat -A Cid47A6A4EA11090.0  -s DMZ.0/24  -j RETURN 
    $IPTABLES -t nat -A Cid47A6A4EA11090.0  -s LAN.0/24  -j RETURN 
    $IPTABLES -t nat -A Cid47A6A4EA11090.0  -p tcp -m tcp  --dport 53 -j DNAT --to-destination (SplitDNSHostIP)
    $IPTABLES -t nat -A Cid47A6A4EA11090.0  -p udp -m udp  --dport 53 -j DNAT --to-destination (SplitDNSHostIP)

    There would also be a PORTROUTING return rule

    Return path

    $IPTABLES -t nat -N Cid9015X24745.0
    $IPTABLES -t nat -A POSTROUTING -o eth0 -p tcp -m tcp  -s (SplitDNSHostIP)  --dport 53 -j Cid9015X24745.0 
    $IPTABLES -t nat -A POSTROUTING -o eth0 -p udp -m udp  -s (SplitDNSHostIP)  --dport 53 -j Cid9015X24745.0 
    $IPTABLES -t nat -A Cid9015X24745.0  -d DMZ.0/24  -j RETURN 
    $IPTABLES -t nat -A Cid9015X24745.0  -d LAN.0/24  -j RETURN 
    $IPTABLES -t nat -A Cid9015X24745.0  -p tcp -m tcp  --dport 53 -j SNAT --to-source (Public IP)
    $IPTABLES -t nat -A Cid9015X24745.0  -p udp -m udp  --dport 53 -j SNAT --to-source (Public IP)

    And not to exclude the rule to allow
    $IPTABLES -N Cid43B8C5E7.0
    $IPTABLES -A OUTPUT -p tcp -m tcp  --dport 53  -m state --state NEW  -j Cid43B8C5E7.0
    $IPTABLES -A OUTPUT -p udp -m udp  --dport 53  -m state --state NEW  -j Cid43B8C5E7.0
    $IPTABLES -A Cid43B8C5E7.0  -d (SplitDNSHostIP)  -j ACCEPT
    $IPTABLES -N Cid43B8C5E7.1
    $IPTABLES -A FORWARD -p tcp -m tcp  --dport 53  -m state --state NEW  -j Cid43B8C5E7.1
    $IPTABLES -A FORWARD -p udp -m udp  --dport 53  -m state --state NEW  -j Cid43B8C5E7.1
    $IPTABLES -A Cid43B8C5E7.1  -d (SplitDNSHostIP)  -j ACCEPT

    Thanks in advance,



  • Anybody?



  • I am back to using fwbuilder.  Not really much benefit using pf.