Netgate 3100: DNS Server behind 1:1 NAT working locally but not externally



  • Hi,

    I have setup 1:1 NAT to make my DNS Server on the LAN side appear on a public IP address on the WAN side.

    On my local network on the WAN side, I can run nslookup DNS queries and they work, but if I make a DNS query from a seperate network from across the Internet (i.e. from my 2nd separate network going through a different ISP across the Internet), then the nslookup queries timeout and so do not resolve.

    I can quite happily access a web server through port 80 on the same 1:1 NAT'ed IP address from across the Internet using the same setup, so it looks like something to do with the DNS confiiguration.

    I have enabled port 53 for both TCP and UDP and port 80 on both the Netgate and on my local firewall on my local network WAN side.

    I can see the port 53 quries coming in across from the Internet in the Netgate's logs, but there's no response at the other end.

    If I move the DNS to the other side of the Netgate so it's on the WAN rather than 1:1 NAT behind the Netgate, then it CAN be seen acorss the Internet, so it looks like some form of interaction between the 1:1 NAT server and the DNS server.

    Does anyone have any idea as to what is happening here ?

    This is urgent as my other ISP is closing down their service and I need to get this working so I can get my servers and DNS shifted across to a new ISP.


  • Rebel Alliance Developer Netgate

    What do the states look like for an attempting connection using NAT?

    What does a packet capture show? Does the traffic exit pfSense going to the DNS server? Does pfSense receive a reply from the DNS server?

    Sounds like maybe your DNS server isn't using pfSense as its gateway, or has some other kind of firewall/ACL mechanism kicking in if it's on a private network.

    I've setup DNS servers behind 1:1 NAT before and it works great, nothing special needed.



  • [My investigation time is limited to non-office hours, so is limited during the week]

    I haven't run any packet capture software yet, but turning on the logging on the DNS server behind the Netgate I can see the DNS requests coming in and being responded to, so it's likely to be somewhere between the outgoing connection from the DNS server, through the Netgate, through the Firewall to the Internet.

    There's nothing being logged as being blocked by the external firewire.

    I can get it working by running DNS on the Netgate and forwarding queries for the domains managed by the DNS server behind the Netgate and then querying the Netgate DNS, but ideally I'd just like to use the DNS server itself.

    Is there any good open source packet capture software that can parse & decode DNS UDP/TCP messages ?



  • Actually the Netgate DNS + forwarding is only working if I access it through the local network and not the Internet, whereas my other existing DNS server not behind the Netgate is handling queries from across the Internet, so it looks like some form of issue specific to the link between my external firewall and the Netgate.



  • Also, the lights on the Netgate's WAN Adapter socket are constantly flashing, as if there is some constant high level of activity, although the network switch at the other end of the cable is not as busy. So I'm wondering if there some traffic loop between the Netgate and the Firewall (Sonicwall SOHO-3) which may indicate some form of routing issue ?


  • Rebel Alliance Developer Netgate

    @JDL said in Netgate 3100: DNS Server behind 1:1 NAT working locally but not externally:

    I haven't run any packet capture software yet, but turning on the logging on the DNS server behind the Netgate I can see the DNS requests coming in and being responded to

    You need to compare that with what the firewall sees in a capture on the interface connected to the network with the DNS server. Just because the DNS server sent a reply doesn't mean it sent that to pfSense.

    I can get it working by running DNS on the Netgate and forwarding queries for the domains managed by the DNS server behind the Netgate and then querying the Netgate DNS, but ideally I'd just like to use the DNS server itself.

    The DNS services on the firewall aren't intended to be used for public/authoritative service, so I definitely wouldn't recommend using that long term. Passing the queries on to the DNS server is the best method in your situation.

    Is there any good open source packet capture software that can parse & decode DNS UDP/TCP messages ?

    Capture the packets using tcpdump writing to a file (or just Diagnostics > Packet Capture on pfSense) and then download the capture to a local workstation and load it in Wireshark.

    Actually the Netgate DNS + forwarding is only working if I access it through the local network and not the Internet, whereas my other existing DNS server not behind the Netgate is handling queries from across the Internet, so it looks like some form of issue specific to the link between my external firewall and the Netgate.

    That still feels to me like the DNS server is sending its responses somewhere that isn't pfSense. Make sure pfSense is the gateway for that system.

    Also, the lights on the Netgate's WAN Adapter socket are constantly flashing, as if there is some constant high level of activity, although the network switch at the other end of the cable is not as busy. So I'm wondering if there some traffic loop between the Netgate and the Firewall (Sonicwall SOHO-3) which may indicate some form of routing issue ?

    No way to know that for certain without knowing what the traffic is. Could just be normal on a busy segment. Capture a few thousand packets, load the file up in Wireshark and see what is there.



  • @jimp Thanks for your suggestion. I've fixed it. It was a gateway issue.

    Because I was setting a fixed IP address for the WAN Interface of the Netgate rather than a fixed one allocated by an upstream DHCP server, I hadn''t explicitly configured an upstream Gateway for the WAN Interface. Since I wasn't using DHCP then one wasn't automatically set.

    Having set the upstream gateway it now all works fine.

    Presumably the web server was working across the Internet because it was HTTP over TCP rather than the failing DNS over UDP ?


Log in to reply