• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Issue with using tcp port 53 for other then dns

Scheduled Pinned Locked Moved General pfSense Questions
8 Posts 3 Posters 2.6k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • S
    spudgunman
    last edited by Aug 7, 2011, 1:46 AM

    So I am stuck on an issue I upgraded to the newest release via autoupdate and here is my setup

    NAT rule to redirect port 53T to internal server 22T for the purposes of ssh, to example the threat to schools for tunneling etc.

    I have a security rule to allow ssh to the internal 22T

    This was working but after a upgrade things done work any more but what is interesting is I get a login and key pair change but nothing else, if I flip to port 54 it works back to 53 it fails.

    I disabled the dns forwarder redirection option on the firewall but is the firewall kernel trying to do something with 53T? I the new version… What else can I do to find out where the failure is on the box? I assume that the kernel is eating up the port and I can't use it because of internal NAT I can't see but why or do I have a configuration issue?

    1 Reply Last reply Reply Quote 0
    • C
      cmb
      last edited by Aug 7, 2011, 3:15 AM

      Port forwards override everything running/listening on the system, doesn't matter if 53 is bound, it'll still get forwarded. Something else changed, go through the usual troubleshooting process for port forwards, capture on WAN, LAN, see where it gets, where it doesn't.
      http://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

      1 Reply Last reply Reply Quote 0
      • S
        spudgunman
        last edited by Sep 14, 2011, 5:56 AM

        so I have been extensively testing this, 1:4 times it will work the other 3 I get a peer disconnect. if I move to port 54 or 52 I have 100% success rate. unless 3G service is monitoring TCP53 and forcing it to be DNS (which should not be the case)

        This wasn't an issue until the upgrade to RC3 so I also dont suspect that the ISP is up to anything.

        I can run packet dumps on the inside outside and the host everything looks fine… the packets just stop flowing after the SSH handshake starts, but then 1:4 times it will continue to flow just fine and I get my console. but after typing a key or two it will disconnect.

        if I move to any other port its no issue.

        unless the timing of RC3 and some changes the ISP did I am stumped unless the firewall is somehow handling T53 as DNS and not forwarding it as it should per rule.

        1 Reply Last reply Reply Quote 0
        • C
          cmb
          last edited by Sep 15, 2011, 10:58 AM

          @spudgunman:

          I can run packet dumps on the inside outside and the host everything looks fine… the packets just stop flowing after the SSH handshake starts, but then 1:4 times it will continue to flow just fine and I get my console. but after typing a key or two it will disconnect.

          Just stop where is the question. Compare client-side to server-side, that has your answer. The firewall doesn't treat TCP 53 any differently from 52 or 54 or any other port.

          1 Reply Last reply Reply Quote 0
          • S
            spudgunman
            last edited by Sep 16, 2011, 1:59 AM

            so if I roll back to R1 use the same config and it works do I have any attention then?

            if I put a old watchguard in place of the pfsense I have no issues, if I put RC3 in place I have issues. after I upgraded I have issues.

            1 Reply Last reply Reply Quote 0
            • P
              podilarius
              last edited by Sep 16, 2011, 2:57 AM

              @spudgunman:

              so if I roll back to R1 use the same config and it works do I have any attention then?

              if I put a old watchguard in place of the pfsense I have no issues, if I put RC3 in place I have issues. after I upgraded I have issues.

              In the general setup options, do you have the option to "Do not use the DNS Forwarder as a DNS server for the firewall" checked? Are you running any other packages?

              1 Reply Last reply Reply Quote 0
              • C
                cmb
                last edited by Sep 17, 2011, 8:19 AM

                upload the pcaps somewhere and I'll take a look.

                1 Reply Last reply Reply Quote 0
                • S
                  spudgunman
                  last edited by Dec 2, 2011, 9:07 PM

                  just an update, I did downgrade to R2 and it worked, today I upgraded to 2.0 release to see if it was fixed and all good. I never once changed my policy the R3 was failing … but since the release is out now I guess we consider this done! happy holiday's guys.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                    [[user:consent.lead]]
                    [[user:consent.not_received]]