Odd DNS Issues with Bridged Interface

  • I did some basic searching, but don't see anything similar to my current troubles.

    I'm working on replacing a Watchguard Firebox with pfSense (the Watchguard VPN capability is rather bad, and the configuration tool is Windows-only for 2000 - XP only due to not paying the yearly maintenance fee). Only one thing seems to be holding up my deployment, and it's rather tricky.

    To start, I have pfSense on an old PIII desktop with one Intel Pro/100 card for WAN (integrated on the motherboard) and two 3Com 3c905 cards for LAN and Opt1. My IP range is a static /25 block. The router is using .1 on the network, so I assigned pfSense as .2. Opt1 is bridged with the WAN interface as the servers on this segment are using public IPs. LAN is using NAT.

    I have rules working so that I can access port 80 (http) on a few servers off Opt1 and that's working fine. I also can access the same servers from LAN, which is fine as well. The trouble is DNS.

    I have a caching DNS server on Opt1. It acts as a local resolver for the LAN segment and also has a few TLDs that we use internally for various services. I can query the server for the TLDs it resolves directly from the LAN and even outside our network when I add the correct rule. The trouble comes from when it tries to make DNS queries externally. I had specifically set up an allow rule for TCP/UDP port 53 (DNS) with logging enabled for diagnostic purposes. At the server console, I ran the dig tool to find the A record of mozilla.org and specifically directed it to (a public resolving server ran by Level3). The firewall logs show that the pass rule was used, however I get nothing back. Dig simply says that the server timed out.

    What needs to be changed to have this function?

  • Where did you create this allow rule?
    On the WAN or on the OPT side?
    Could you show a screenshot of this/these rule/s?

  • Rebel Alliance Developer Netgate

    Also it might help to know if you created any NAT port forwards for DNS and if so, did you also enable NAT reflection?

  • I actually figured out the problem.

    When I bridged the interface, I also added an entry in the gateway field. Once I read the description a few times this morning, I figured out that it should have been blank. Sure enough, blanking that field fixed my problems.

    Now I'm on to re-creating all the old rules then seeing it I can't use the old Firebox and get rid of the bulky 300PL I'm currently using.

Log in to reply