pfSense with port forward AND outbound NAT - rewrite source IP address

jarlel · Apr 29, 2025, 8:08 AM

Hi all,

I want to use pfSense as a DNS relay/proxy. I have virtual IP-addresses that I want to use as:

VIP 1: Destination IP-address for the source DNS requests from group A clients
VIP 2: Source IP-address for the outgoing DNS requests that

VIP 3: Destination IP-address for the source DNS requests from group B clients
VIP 4: Source IP-address for the outgoing DNS requests that

I have port forwards for the incoming packets that hits VIP 1 and VIP 3. These packets are forwarded to two different destination IP-addresses (this is the actual real DNS-servers).

I have two outbound NAT rules that should rewrite the source IP-address for the outgoing packets. I want to rewrite the source IP address to VIP 2 for the packets that hit VIP 1.
I want to rewrite the source IP address to VIP 4 for the packets that hit VIP 3.

The problem is that I have not succeeded in matching the rules based on which VIP the incoming packets hit. Is this possible? How can I do it?

johnpoz · Apr 29, 2025, 11:47 AM

@jarlel so I send a dns request to vip 1, and you want to answer me from source IP vip 2?

Why would you think that would work? For starters the client that sent query to vip 1, why would he accept the answer from vip2?

And if the client is behind a nat, why would his firewall accept the return traffic in its state table to even return to the client behind it?

Or am I not understanding what you're wanting to do?

jarlel · Apr 29, 2025, 12:07 PM

@johnpoz said in pfSense with port forward AND outbound NAT - rewrite source IP address:

@jarlel so I send a dns request to vip 1, and you want to answer me from source IP vip 2?

Why would you think that would work? For starters the client that sent query to vip 1, why would he accept the answer from vip2?

And if the client is behind a nat, why would his firewall accept the return traffic in its state table to even return to the client behind it?

Or am I not understanding what you're wanting to do?

Hi, I might not have explained it detailed enough. pfSense should just be "in the middle" as a proxy/relay. The response from the DNS server(s) should go back to say VIP 2, then back out from VIP 1 to the original client.

johnpoz · Apr 29, 2025, 12:16 PM

@jarlel a port forward isn't a proxy, pfsense IPs wouldn't be seen by the dns server

client IP ---> pfsense ---> dns

dns would see the clients IP, and send answer to the client IP.

1.2.3.4 client on the internet sends traffic to port 53 on pfsense wan IP lets call this 4.5.6.7, which forwards to your dns say 192.168.1.100..

To the dns the query would come from 1.2.3.4, why would you need/want to nat this to pfsense IP say 192.168.1.1?

But lets say you did.. DNS would send the answer back to 192.168.1.1, pfsense would know to send this back to 1.2.3.4 there is nothing really to do. Not understanding why your trying to bring vips 1 an 2 and 3 and 4 into it?

But even if you use vips - if you outbound nat traffic you send to your dns so it looks like it comes from a pfsense ip be it actual IP or vip, the dns would send the answer back to the source IP of the query it got.

jarlel · Apr 29, 2025, 1:00 PM

@johnpoz I already have his working, but with matching on the destination instead of source (I want to match on source).

So the packet flow is:

DNS Request:
DNS Request from Client --> pfSense VIP 1 --> Port forward for UDP53 to external DNS IP port 53 --> Outbound NAT with rewrite so the source becomes VIP 2

DNS Response:
DNS Response from DNS server port 53 --> pfSense VIP 2 --> pfSense VIP 1 --> Client

This works as it should, but the last part for the request is where I want to match on SOURCE instead if destination. That is were I need some assistance - how can I match on source?

WHY? Because the DNS servers have different filters based on which source IPs the request comes from. I want to control which clients gets different DNS filters, so that is why I want to control the source IPs for the different clients' DNS requests.

johnpoz · Apr 29, 2025, 1:00 PM

@jarlel said in pfSense with port forward AND outbound NAT - rewrite source IP address:

WHY? Because the DNS servers have different filters based on which source IPs the request comes from

Even if you get that to work - you have a problem with the answers being cached in unbound.

client A asks for something.tld, which is allowed for client A.

Now client B asks for something.tld which should be blocked for client B, but unbound already has it cached, so it sends client B the answer.

jarlel · Apr 30, 2025, 6:59 AM

@johnpoz said in pfSense with port forward AND outbound NAT - rewrite source IP address:

@jarlel said in pfSense with port forward AND outbound NAT - rewrite source IP address:

WHY? Because the DNS servers have different filters based on which source IPs the request comes from

Even if you get that to work - you have a problem with the answers being cached in unbound.

client A asks for something.tld, which is allowed for client A.

Now client B asks for something.tld which should be blocked for client B, but unbound already has it cached, so it sends client B the answer.

There is no difference in the filters for clients in the same "client group". All clients using VIP 1 as DNS-server has the same filter/rules. All clients using VIP 2 as DNS-server has the same filter/rules.

The DNS-server is a public one with some special services/filtering, so all requests are considered and evaluated without caching.