Redirecting all DNS traffic to pfSense not working

  • I have an IoT subnet. On this subnet I want the TVs, Roku's, thermostats, etc to all have their DNS traffic redirected to the DNS servers I have specified in pfSense (Cloudflare). I followed this document to set this up. I thought it was working fine but then noticed a device on this subnet was talking with

    Here's the image of the NAT redirect setup.
    0_1540043412563_Screen Shot 2018-10-20 at 9.42.27 AM.png

    And the subsequent firewall rule on that interface;
    0_1540043465121_Screen Shot 2018-10-20 at 9.42.58 AM.png

    As stated earlier, running packet capture, I see that at least one device on this subnet is successfully querying and getting a response back. I have Cloudflare DNS setup in general settings.

    Thanks for any help!

  • LAYER 8 Global Moderator

    And they are doing that on udp/tcp 53 - or some other port?

  • The destination port is 53. It seems like the query first goes to the gateway, but then it immediately tries Both the gateway and reply. All over port 53.

  • LAYER 8 Global Moderator

    The client can send query to all it wants - you sniffed on the wan and saw this go out?

  • Well, it's weird but on the WAN I don't see traffic over 53 or to - I do DNS over TLS on port 853 so that makes sense to not see anything over port 53. The source IP for the query response is I see states for on the IoT interface but not on the WAN interface. When I capture traffic on the IoT interface, it shows that the query response source IP is

    I'm guessing when is queried, the traffic is translated and the state is built, but the interface is none the wiser whether or not the return traffic is actually from

  • LAYER 8 Global Moderator

    Exactly.. Client doesn't know answer didn't come back from

    It just really knows it gets an answer back to its source port it asked from

  • Very cool. I learned something today.

Log in to reply