Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    seeking advice on using "Enable automatic outbound NAT for Reflection"

    NAT
    3
    10
    666
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      Ellis Michael Lieberman
      last edited by

      I want to redirect all requests from any local device seeking Google DNS (8.8.8.8 & 8.8.4.4) to my local BIND servers 192.168.1.70 and 192.168.1.74).

      I gather I need to enable "Enable automatic outbound NAT for Reflection"

      I read it must be for a specific port. Would that be for port 53?

      I am not sure where to set up the rule.

      AND.. If I enable that I need to set up a rule, will I be potentially creating other problems? As all is working perfectly now, I don't want to introduce new problems.

      Want to know why I want to do this? It is because Android says you can redirect DNS in WiFi... but it doesn't and I have proved it. It ignores local BIND records and uses public records.

      S 1 Reply Last reply Reply Quote 0
      • S
        SteveITS Galactic Empire @Ellis Michael Lieberman
        last edited by

        @Ellis-Michael-Lieberman Not sure about outbound NAT, I wouldn’t think that is needed?

        Sounds to like you want this but with a LAN IP instead of localhost:
        https://docs.netgate.com/pfsense/en/latest/recipes/dns-redirect.html

        You should be able to set up two rules, with 8.8.8.8 & 8.8.4.4 as destinations. Though that would not redirect other DNS servers…you could add the example rule as a third rule.

        Many browsers use DNS over HTTPS and skirt local DNS servers. That’s another level:
        https://jpgpi250.github.io/piholemanual/doc/Block%20DOH%20with%20pfsense.pdf

        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
        Upvote 👍 helpful posts!

        E 1 Reply Last reply Reply Quote 0
        • E
          Ellis Michael Lieberman @SteveITS
          last edited by Ellis Michael Lieberman

          Hi @SteveITS,

          The problem is related to my ability to access my local mail server on my LAN from my Android phones. The phones all are manually numbered between 192.168.1.20 through 192.168.1.29. Their DNS is manually numbered to the local BIND servers, but that part isn't working.

          Because of that, I do not think the example you recommend will work.

          When the cellphones are on the WiFi, Mail apps can't "find" the local mail server, even though when using the Cell App IP Tools and talking to the local DNS the phone can see what the BIND server has --- it's all there.

          I guess it is possible that though I am NOT using http in the mail app, the Android might be avoiding the local dns via HTTP, but my best guess is that they are simply sending name server traffic to their servers for tracking purposes. My wired PCs can resolve the local server without a problem, so it's not the BIND servers.

          Anyway, So this rule is only for the cellphones.

          I have snapshots of the funky Android behavior but I have not linked them here.

          S 1 Reply Last reply Reply Quote 0
          • S
            SteveITS Galactic Empire @Ellis Michael Lieberman
            last edited by

            @Ellis-Michael-Lieberman You could try blocking outbound port 53 (tcp/udp) and maybe 853 for everything except your DNS servers, and see if that helps.

            If the phones are already set to use only local DNS then there may be a different issue at play or maybe the app is using DoH and bypassing the configured DNS servers.

            Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
            When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
            Upvote 👍 helpful posts!

            E 1 Reply Last reply Reply Quote 0
            • E
              Ellis Michael Lieberman @SteveITS
              last edited by

              @SteveITS
              Thanks for the suggestion. I know you can't know all I have done to isolate the problem. I have literally been dealing with this over five years four separate Android devices, four versions of Android OS, and seven email apps.

              As it is over all of them AND the problem is ONLY on Android, I do not want to redirect anything except Android. I also need to not block, but rather redirect the requests from the phones to the local DNS. They are clearly getting their name-service from a public server. I sincerely doubt all the apps are using something such as

              I do NOT want to limit what other devices can do as I use public ports for testing.

              Android has a setting for DoH called Private DNS via cell service, but it uses third party services, not local ones and mine is set to OFF, so DoH should not be functioning in any case.

              So the issue is, how to do this...
              Phone (WiFi) --> call to public DNS --> redirected to local BIND --> Phone

              Isn't that " automatic outbound NAT for Reflection"?

              S Bob.DigB 2 Replies Last reply Reply Quote 0
              • S
                SteveITS Galactic Empire @Ellis Michael Lieberman
                last edited by

                @Ellis-Michael-Lieberman honestly, I don’t understand the “for Reflection” part, are you seeing that written somewhere? I may just be unaware. Outbound NAT is for translating to a specific IP for another network. Reflection is making port forwards on another interface work from inside the network/router.

                The ideas above assume you know the IPs of the phones…DHCP reservation etc. A NAT forward can have an alias with specific IPs as Source. IPv6 is harder to use like that because most apps use temporary addresses and a device can have many.

                I’m pretty sure the recipe above will do what you want, but I’ve never had to use it.

                Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                Upvote 👍 helpful posts!

                1 Reply Last reply Reply Quote 0
                • Bob.DigB
                  Bob.Dig LAYER 8 @Ellis Michael Lieberman
                  last edited by

                  @Ellis-Michael-Lieberman StevelTS is right. From what you have said in your first post, this is what you want.

                  About your email server problems we don't know anything.

                  E 1 Reply Last reply Reply Quote 0
                  • E
                    Ellis Michael Lieberman @Bob.Dig
                    last edited by Ellis Michael Lieberman

                    @Bob-Dig,

                    I tried it but it blocked all traffic.

                    S 1 Reply Last reply Reply Quote 0
                    • S
                      SteveITS Galactic Empire @Ellis Michael Lieberman
                      last edited by

                      @Ellis-Michael-Lieberman your image has the rule disabled but aside from that:

                      It applies to source “not cell phones”. That includes the pfSense LAN IP which the recipe said to exclude. I think you want “only cell phones”? So uncheck the invert box.

                      Reflection at the bottom is set to system default not disabled.

                      When the phones connect out you can use Diagnostics/States to view their outbound connections by IP.

                      Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                      When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                      Upvote 👍 helpful posts!

                      E 1 Reply Last reply Reply Quote 1
                      • E
                        Ellis Michael Lieberman @SteveITS
                        last edited by

                        @SteveITS

                        Yes, OK, I got it. It is no longer blocking everything else so the rule works, but the issue with my Android, eludes me.

                        Thanks for the very patient help.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.