pfSense dns port forwarding to 127.0.0.1 in multi-lan bridged environment



  • Hi all,
    I am trying to setup DNS port forwarding so pfsense is intercepting dns requests preventing them to get outside the network. I have done it before in other setups, but now i am running a bridged setup and i am having trouble getting it working.

    The setup is as follows:

    3 interfaces (one for lan, one for wifi, one for testing) are bridged together, in a dual wan setup (H/a) , with traffic shaping on each of the wans and working pefectly. Only one internal network (192.168.10.x) and firewall rules are created on each of the interfaces in order to allow/deny specific devices to see others or to get access to internet using alias combinations.

    • If i set the port forwarding rule in the Bridge port, the dns request goes throught to the internet.

    • If i set the port forwarding rule in the interface port, the dns request is redirected to 127.0.0.1, i can see the states are created, but unbound is not answering. Actually tcpdump is not seing anything on lo interface. Rules to allow localhost DNS are created in all interfaces but wans, first rule on the list.

    • If i setup the port forwarding rule in the interface port, but forward to 192.168.10.1 (pfsense) unbound is answering but dig is complaining about reply from unexpected source. Using interface-automatic:yes in unbound custom options is not working, though this is expected to be the solution.

    Any ideas?
    I have tried either to get 127.0.0.1 to answer or to fix unbound interface-automatic issue with no success.

    I asume the simplest solution would be not to have a bridge and use different interfaces and networks with its own rules, but unfortunalely traffic shaping is not an option in this kind of multi-lan escenario, and due to the quality of internet in this area removing it is not an option for me


Log in to reply