Issue with using tcp port 53 for other then dns



  • So I am stuck on an issue I upgraded to the newest release via autoupdate and here is my setup

    NAT rule to redirect port 53T to internal server 22T for the purposes of ssh, to example the threat to schools for tunneling etc.

    I have a security rule to allow ssh to the internal 22T

    This was working but after a upgrade things done work any more but what is interesting is I get a login and key pair change but nothing else, if I flip to port 54 it works back to 53 it fails.

    I disabled the dns forwarder redirection option on the firewall but is the firewall kernel trying to do something with 53T? I the new version… What else can I do to find out where the failure is on the box? I assume that the kernel is eating up the port and I can't use it because of internal NAT I can't see but why or do I have a configuration issue?



  • Port forwards override everything running/listening on the system, doesn't matter if 53 is bound, it'll still get forwarded. Something else changed, go through the usual troubleshooting process for port forwards, capture on WAN, LAN, see where it gets, where it doesn't.
    http://doc.pfsense.org/index.php/Port_Forward_Troubleshooting



  • so I have been extensively testing this, 1:4 times it will work the other 3 I get a peer disconnect. if I move to port 54 or 52 I have 100% success rate. unless 3G service is monitoring TCP53 and forcing it to be DNS (which should not be the case)

    This wasn't an issue until the upgrade to RC3 so I also dont suspect that the ISP is up to anything.

    I can run packet dumps on the inside outside and the host everything looks fine… the packets just stop flowing after the SSH handshake starts, but then 1:4 times it will continue to flow just fine and I get my console. but after typing a key or two it will disconnect.

    if I move to any other port its no issue.

    unless the timing of RC3 and some changes the ISP did I am stumped unless the firewall is somehow handling T53 as DNS and not forwarding it as it should per rule.



  • @spudgunman:

    I can run packet dumps on the inside outside and the host everything looks fine… the packets just stop flowing after the SSH handshake starts, but then 1:4 times it will continue to flow just fine and I get my console. but after typing a key or two it will disconnect.

    Just stop where is the question. Compare client-side to server-side, that has your answer. The firewall doesn't treat TCP 53 any differently from 52 or 54 or any other port.



  • so if I roll back to R1 use the same config and it works do I have any attention then?

    if I put a old watchguard in place of the pfsense I have no issues, if I put RC3 in place I have issues. after I upgraded I have issues.



  • @spudgunman:

    so if I roll back to R1 use the same config and it works do I have any attention then?

    if I put a old watchguard in place of the pfsense I have no issues, if I put RC3 in place I have issues. after I upgraded I have issues.

    In the general setup options, do you have the option to "Do not use the DNS Forwarder as a DNS server for the firewall" checked? Are you running any other packages?



  • upload the pcaps somewhere and I'll take a look.



  • just an update, I did downgrade to R2 and it worked, today I upgraded to 2.0 release to see if it was fixed and all good. I never once changed my policy the R3 was failing … but since the release is out now I guess we consider this done! happy holiday's guys.


Log in to reply