[Resolved] Allow DNS Queries from WAN Interface
I'm in a renter situation unfortunately using double NAT. There's a community gateway/router at 192.168.1.1, and I have my pfSense instance downstream from that.
pfSense WAN interface has a static IP of 192.168.1.241
I use the WAN subnet as a "DMZ" and have some IoT devices on there. I would prefer for these devices to be able to query pfSense for DNS instead of sending queries upstream to the 192.168.1.1 default gateway where they can potentially be logged or hijacked.
- I have unbound set to listen on the WAN interface.
- I have a firewall rule on the WAN interface that successfully passes traffic.
When I test using nslookup, I get an "ignore" response.
I think the missing piece to the puzzle has to do with NAT and/or port forwarding and/or NAT reflection.
I tried creating a Port Forward as follows, but it didn't work:
Source Address: Trusted_WAN_Devices alias with my DMZ/IoT devices
Source Ports: *
Destination Address: WAN address
Destination Ports: DNS
Redirect target IP: 127.0.0.1
Redirect target port: DNS
NAT Reflection: Enable (Pure NAT) <-- ???
Second unrelated question: Why can I no longer access forum.netgate.com via PIA VPN endpoints, but I can over Tor exit nodes? It's a PITA to have to use the Tor Browser Bundle just to see these forums, when for many years I could access forum.pfsense.org over PIA VPN.
The solution had nothing at all to do with NAT or port forwarding or anything. Apparently, unbound rejects DNS queries coming via the WAN interface by default, even if "WAN" is selected in one of the listening interfaces. This explains why the WAN firewall rule was successfully passing traffic on 53/udp and 53/tcp, but my test client (in this case a Wndows device doing nslookup) was getting "Query refused."
I simply had to create a new Access List (the 3rd tab in unbound configuration) for 192.168.1.0/24 and set it to "Allow."
Gertjan last edited by
access forum.netgate.com via PIA VPN endpoints
See here https://forum.netgate.com/category/20/forum-feedback for possible reasons.
More and more people use VPN's these days sot it's quiet understandable that many IP addresses used by these VPN companies have become totally useless (they are refused because used ones for less-the-honest occupations).