[SOLVED] DNS Forwarding behind (S)NATed network

Nono_ · Feb 7, 2020, 4:23 PM

SOLUTION:

The solution was to create a dedicated NAT Outbound rules like so :
Interface: WAN
Protocol: UDP
Source: This firewall (self)
Destination: Any (port 53)
Translation address: 45.0.0.1

Original Post:

My PFsense is behind a NAT Network, so I have to use an SNAT IP which is my Public IP.
So, currently my PFSense is setup like this :
WAN interface : 100.0.0.10; GW : 100.0.0.9
LAN interface : 192.168.1.0
Virtual IP "Public IP" : 45.0.0.1

DNS Servers: 1.1.1.1 & 9.9.9.9
DNS Forwarder : enabled on ALL interfaces.

NAT Outbound rules :
Source: 127.0.0.1/8
Destination: Any
Translation IP : 45.0.0.1

From a computer connected to the LAN (192.168.1.10), I can resolve using "nslookup netgate.com 1.1.1.1" but can NOT using "nslookup netgate.com"

When I capture the packet from the PFSense (filter on port 53) I can only see my WAN IP (100.0.0.10) trying to reach either 1.1.1.1 or 9.9.9.9 but no answer.
I tried to create all sort of NAT Port Forwarding rules but didn't found any solution

I don't know what I'm missing, could maybe someone help me to figure out ?
I've tested the "ping" and "DNS lookup" none of them can resolve any domain so I guess my pfsense can not get any DNS answer from the DNS Servers setup ?

Grimeton · Feb 8, 2020, 7:38 PM

Src Nating from a loopback interface requires to be enabled. Also you should run a DNS resolver like unbound. You can set the outgoing interface there, e.g. the WAN interface and then run a source NAT roule on that wan interface for all requests coming from any/any going to any/udp/53.

Problem solved.

Nono_ · Feb 10, 2020, 7:26 AM

Hi @Grimeton,
Thanks for the answer but I'm not sure to follow.
As stated, the external connection works and I didn't had to enable anything on the loopback interface ? Could you please precise where may I found this option ?

Also, regarding DNS, the idea would be to use an external DNS Server (likely 1.1.1.1 or 9.9.9.9) on the pfsense, and use those together with the DNS Forward on all my LAN devices. Why should I use a DNS resolver ? As far as I know, you can't have DNS Resolver together with DNS Forwarder ?

Fianlly, for a NAT rules, I don't seems to be able to use any/any especially for the redirection as a target IP need to be entered.

Would you mind explain me a bit more in details your idea ?

Nono_ · Feb 10, 2020, 8:52 AM

Finally, I've solve the issue by creating a specific outbound rule for the DNS requests (see top post edited)

Grimeton · Feb 10, 2020, 10:26 AM

@Nono_ A DNS-Forwarder is nothing else than a stripped down resolver. The only difference is that unbound can do more than just resolve. Besides that even dnsmasq can hold host entries nowadays, but anyway...

When you tell a program to use 127.0.0.1 as its source address then the packet filters aren't applied to 127.0.0.1. There's a sysctl variable that needs to be set in order to enable this behaviour.

That's all.