• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

[Resolved] Allow DNS Queries from WAN Interface

Scheduled Pinned Locked Moved DHCP and DNS
4 Posts 2 Posters 753 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • F
    Finger79
    last edited by Finger79 Feb 25, 2019, 10:55 PM Feb 19, 2019, 5:43 PM

    I'm in a renter situation unfortunately using double NAT. There's a community gateway/router at 192.168.1.1, and I have my pfSense instance downstream from that.

    WAN: 192.168.1.0/24
    pfSense WAN interface has a static IP of 192.168.1.241

    I use the WAN subnet as a "DMZ" and have some IoT devices on there. I would prefer for these devices to be able to query pfSense for DNS instead of sending queries upstream to the 192.168.1.1 default gateway where they can potentially be logged or hijacked.

    1. I have unbound set to listen on the WAN interface.
    2. I have a firewall rule on the WAN interface that successfully passes traffic.

    When I test using nslookup, I get an "ignore" response.

    I think the missing piece to the puzzle has to do with NAT and/or port forwarding and/or NAT reflection.

    I tried creating a Port Forward as follows, but it didn't work:

    Interface: WAN
    Protocol: TCP/UDP
    Source Address: Trusted_WAN_Devices alias with my DMZ/IoT devices
    Source Ports: *
    Destination Address: WAN address
    Destination Ports: DNS
    Redirect target IP: 127.0.0.1
    Redirect target port: DNS
    NAT Reflection: Enable (Pure NAT) <-- ???

    1 Reply Last reply Reply Quote 0
    • F
      Finger79
      last edited by Finger79 Feb 19, 2019, 5:59 PM Feb 19, 2019, 5:57 PM

      Second unrelated question: Why can I no longer access forum.netgate.com via PIA VPN endpoints, but I can over Tor exit nodes? It's a PITA to have to use the Tor Browser Bundle just to see these forums, when for many years I could access forum.pfsense.org over PIA VPN.

      G 1 Reply Last reply Feb 26, 2019, 1:32 PM Reply Quote 0
      • F
        Finger79
        last edited by Finger79 Feb 25, 2019, 10:54 PM Feb 25, 2019, 10:53 PM

        Solution

        The solution had nothing at all to do with NAT or port forwarding or anything. Apparently, unbound rejects DNS queries coming via the WAN interface by default, even if "WAN" is selected in one of the listening interfaces. This explains why the WAN firewall rule was successfully passing traffic on 53/udp and 53/tcp, but my test client (in this case a Wndows device doing nslookup) was getting "Query refused."

        I simply had to create a new Access List (the 3rd tab in unbound configuration) for 192.168.1.0/24 and set it to "Allow."

        1 Reply Last reply Reply Quote 0
        • G
          Gertjan @Finger79
          last edited by Feb 26, 2019, 1:32 PM

          @finger79 said in [Resolved] Allow DNS Queries from WAN Interface:

          access forum.netgate.com via PIA VPN endpoints

          See here https://forum.netgate.com/category/20/forum-feedback for possible reasons.
          More and more people use VPN's these days sot it's quiet understandable that many IP addresses used by these VPN companies have become totally useless (they are refused because used ones for less-the-honest occupations).

          No "help me" PM's please. Use the forum, the community will thank you.
          Edit : and where are the logs ??

          1 Reply Last reply Reply Quote 0
          4 out of 4
          • First post
            4/4
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
            This community forum collects and processes your personal information.
            consent.not_received