Odd DNS Issues with Bridged Interface
I did some basic searching, but don't see anything similar to my current troubles.
I'm working on replacing a Watchguard Firebox with pfSense (the Watchguard VPN capability is rather bad, and the configuration tool is Windows-only for 2000 - XP only due to not paying the yearly maintenance fee). Only one thing seems to be holding up my deployment, and it's rather tricky.
To start, I have pfSense on an old PIII desktop with one Intel Pro/100 card for WAN (integrated on the motherboard) and two 3Com 3c905 cards for LAN and Opt1. My IP range is a static /25 block. The router is using .1 on the network, so I assigned pfSense as .2. Opt1 is bridged with the WAN interface as the servers on this segment are using public IPs. LAN is using NAT.
I have rules working so that I can access port 80 (http) on a few servers off Opt1 and that's working fine. I also can access the same servers from LAN, which is fine as well. The trouble is DNS.
I have a caching DNS server on Opt1. It acts as a local resolver for the LAN segment and also has a few TLDs that we use internally for various services. I can query the server for the TLDs it resolves directly from the LAN and even outside our network when I add the correct rule. The trouble comes from when it tries to make DNS queries externally. I had specifically set up an allow rule for TCP/UDP port 53 (DNS) with logging enabled for diagnostic purposes. At the server console, I ran the dig tool to find the A record of mozilla.org and specifically directed it to 18.104.22.168 (a public resolving server ran by Level3). The firewall logs show that the pass rule was used, however I get nothing back. Dig simply says that the server timed out.
What needs to be changed to have this function?
GruensFroeschli last edited by
Where did you create this allow rule?
On the WAN or on the OPT side?
Could you show a screenshot of this/these rule/s?
Also it might help to know if you created any NAT port forwards for DNS and if so, did you also enable NAT reflection?
I actually figured out the problem.
When I bridged the interface, I also added an entry in the gateway field. Once I read the description a few times this morning, I figured out that it should have been blank. Sure enough, blanking that field fixed my problems.
Now I'm on to re-creating all the old rules then seeing it I can't use the old Firebox and get rid of the bulky 300PL I'm currently using.