• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

NAT / reply from unexpected source

Scheduled Pinned Locked Moved NAT
4 Posts 2 Posters 959 Views 2 Watching
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • J Offline
    jpgpi250
    last edited by Oct 25, 2021, 3:44 PM

    I have a NAT rule thet redirects all DNS requests, NOT originating from my internal DNS server to my DNS server.

    This works fine, the NAT rule redirects the traffic, the DNS server resolves the query, the firewall ensures the client is convinced the reply is coming from the (unauthorized) DNS server.

    e.g. dig @8.8.8.8 example.com is redirected to my internal DNS server, the reply appears to be comming from 8.8.8.8 (client perspective).

    Now I want to do the following

    client request to 8.8.8.8 (or any other unauthorized DNS server) -> NAT redirects to monitoring machine (192.168.3.5) -> monitoring intercepts the request (tcpdump) but the dns request is also forwarded (using dnsmasq) to my internal dns server.

    if the client is on a differen subnet than the monitor, it works perfectly, again the originating client is convinced the reply is comming from 8.8.8.8

    if however, the client is on the same subnet as the monitor, the reply is no longer processed by the firewall, but is going directly from the monitor machine (dnsmasq is running there) to the client. The result (only for clients on the same subnet as the monitor) is reply from unexpected source.

    The question: Is there a way to prevent the dnsmasq instance on the monitoring device to directly reply to the client (on the same subnet), e.g. ensure the firewall does what it needs to do to convince the client the reply is from the DNS server it specified in the request.

    Thanks for your time and effort.

    V 1 Reply Last reply Oct 25, 2021, 4:12 PM Reply Quote 0
    • V Offline
      viragomann @jpgpi250
      last edited by Oct 25, 2021, 4:12 PM

      @jpgpi250
      You can masquerade the redirections to the monitor with the pfSense interface IP. However, this let the monitor think, that the request is coming from pfSense instead of the origin client.

      J 1 Reply Last reply Oct 25, 2021, 4:25 PM Reply Quote 0
      • J Offline
        jpgpi250 @viragomann
        last edited by Oct 25, 2021, 4:25 PM

        @viragomann

        great....

        and how do I do that?

        V 1 Reply Last reply Oct 25, 2021, 4:32 PM Reply Quote 0
        • V Offline
          viragomann @jpgpi250
          last edited by Oct 25, 2021, 4:32 PM

          @jpgpi250
          It's to be set in Firewall > NAT > Outbound.

          If your Outbound NAT is working in automatic mode switch to the hybrid mode first and save it.

          Then add a new rule like this:
          interface: this one which is facing to the monitoring / client
          protocol: TCP/UDP
          source: the clients subnet
          dest: the monitoring IP
          dest. port: 53
          translation: interface address

          1 Reply Last reply Reply Quote 0
          4 out of 4
          • First post
            4/4
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
            This community forum collects and processes your personal information.
            consent.not_received