Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Issue with using tcp port 53 for other then dns

    General pfSense Questions
    3
    8
    2264
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      spudgunman last edited by

      So I am stuck on an issue I upgraded to the newest release via autoupdate and here is my setup

      NAT rule to redirect port 53T to internal server 22T for the purposes of ssh, to example the threat to schools for tunneling etc.

      I have a security rule to allow ssh to the internal 22T

      This was working but after a upgrade things done work any more but what is interesting is I get a login and key pair change but nothing else, if I flip to port 54 it works back to 53 it fails.

      I disabled the dns forwarder redirection option on the firewall but is the firewall kernel trying to do something with 53T? I the new version… What else can I do to find out where the failure is on the box? I assume that the kernel is eating up the port and I can't use it because of internal NAT I can't see but why or do I have a configuration issue?

      1 Reply Last reply Reply Quote 0
      • C
        cmb last edited by

        Port forwards override everything running/listening on the system, doesn't matter if 53 is bound, it'll still get forwarded. Something else changed, go through the usual troubleshooting process for port forwards, capture on WAN, LAN, see where it gets, where it doesn't.
        http://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

        1 Reply Last reply Reply Quote 0
        • S
          spudgunman last edited by

          so I have been extensively testing this, 1:4 times it will work the other 3 I get a peer disconnect. if I move to port 54 or 52 I have 100% success rate. unless 3G service is monitoring TCP53 and forcing it to be DNS (which should not be the case)

          This wasn't an issue until the upgrade to RC3 so I also dont suspect that the ISP is up to anything.

          I can run packet dumps on the inside outside and the host everything looks fine… the packets just stop flowing after the SSH handshake starts, but then 1:4 times it will continue to flow just fine and I get my console. but after typing a key or two it will disconnect.

          if I move to any other port its no issue.

          unless the timing of RC3 and some changes the ISP did I am stumped unless the firewall is somehow handling T53 as DNS and not forwarding it as it should per rule.

          1 Reply Last reply Reply Quote 0
          • C
            cmb last edited by

            @spudgunman:

            I can run packet dumps on the inside outside and the host everything looks fine… the packets just stop flowing after the SSH handshake starts, but then 1:4 times it will continue to flow just fine and I get my console. but after typing a key or two it will disconnect.

            Just stop where is the question. Compare client-side to server-side, that has your answer. The firewall doesn't treat TCP 53 any differently from 52 or 54 or any other port.

            1 Reply Last reply Reply Quote 0
            • S
              spudgunman last edited by

              so if I roll back to R1 use the same config and it works do I have any attention then?

              if I put a old watchguard in place of the pfsense I have no issues, if I put RC3 in place I have issues. after I upgraded I have issues.

              1 Reply Last reply Reply Quote 0
              • P
                podilarius last edited by

                @spudgunman:

                so if I roll back to R1 use the same config and it works do I have any attention then?

                if I put a old watchguard in place of the pfsense I have no issues, if I put RC3 in place I have issues. after I upgraded I have issues.

                In the general setup options, do you have the option to "Do not use the DNS Forwarder as a DNS server for the firewall" checked? Are you running any other packages?

                1 Reply Last reply Reply Quote 0
                • C
                  cmb last edited by

                  upload the pcaps somewhere and I'll take a look.

                  1 Reply Last reply Reply Quote 0
                  • S
                    spudgunman last edited by

                    just an update, I did downgrade to R2 and it worked, today I upgraded to 2.0 release to see if it was fixed and all good. I never once changed my policy the R3 was failing … but since the release is out now I guess we consider this done! happy holiday's guys.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post