[SOLVED] DNS Forwarding behind (S)NATed network
The solution was to create a dedicated NAT Outbound rules like so : Interface: WAN Protocol: UDP Source: This firewall (self) Destination: Any (port 53) Translation address: 188.8.131.52
My PFsense is behind a NAT Network, so I have to use an SNAT IP which is my Public IP.
So, currently my PFSense is setup like this :
WAN interface : 184.108.40.206; GW : 220.127.116.11
LAN interface : 192.168.1.0
Virtual IP "Public IP" : 18.104.22.168
DNS Servers: 22.214.171.124 & 126.96.36.199
DNS Forwarder : enabled on ALL interfaces.
NAT Outbound rules :
Translation IP : 188.8.131.52
When I capture the packet from the PFSense (filter on port 53) I can only see my WAN IP (184.108.40.206) trying to reach either 220.127.116.11 or 18.104.22.168 but no answer.
I tried to create all sort of NAT Port Forwarding rules but didn't found any solution
I don't know what I'm missing, could maybe someone help me to figure out ?
I've tested the "ping" and "DNS lookup" none of them can resolve any domain so I guess my pfsense can not get any DNS answer from the DNS Servers setup ?
Grimeton last edited by
Src Nating from a loopback interface requires to be enabled. Also you should run a DNS resolver like unbound. You can set the outgoing interface there, e.g. the WAN interface and then run a source NAT roule on that wan interface for all requests coming from any/any going to any/udp/53.
Thanks for the answer but I'm not sure to follow.
As stated, the external connection works and I didn't had to enable anything on the loopback interface ? Could you please precise where may I found this option ?
Also, regarding DNS, the idea would be to use an external DNS Server (likely 22.214.171.124 or 126.96.36.199) on the pfsense, and use those together with the DNS Forward on all my LAN devices. Why should I use a DNS resolver ? As far as I know, you can't have DNS Resolver together with DNS Forwarder ?
Fianlly, for a NAT rules, I don't seems to be able to use any/any especially for the redirection as a target IP need to be entered.
Would you mind explain me a bit more in details your idea ?
Finally, I've solve the issue by creating a specific outbound rule for the DNS requests (see top post edited)
Grimeton last edited by
@Nono_ A DNS-Forwarder is nothing else than a stripped down resolver. The only difference is that unbound can do more than just resolve. Besides that even dnsmasq can hold host entries nowadays, but anyway...
When you tell a program to use 127.0.0.1 as its source address then the packet filters aren't applied to 127.0.0.1. There's a sysctl variable that needs to be set in order to enable this behaviour.