Outbound port forward



  • Hi all.

    I have a 2.0 RC3 pfSense box with one LAN and two WAN´s in load balance mode. It´s working in Automatic Outbound NAT.
    I need now to redirect every request in port 53 to a single DNS server, independently of the DNS the clients specify in their TCP/IP configs. Does someone know how to do that?

    Danilo



  • Are you saying that you want to force to use certain dns server no matter what is set to client?

    OR

    Do you want to use only one dns server no matter what gateway is used?



  • First option, force to use one DNS server no matter what is set in the client. The WAN´s are in load balance mode, it must be forced in both, but this is the easiest problem… :)



  • Easy. rules of thumb first: rules work on ingress and top to down order.

    Create two rules, pass and block rules.

    1. Pass, tcp/udp, single host or alias, your allowed dns server, any source port, destination any, destination port 53
    2. Block, tcp/udp, any source, any source port, destination any, destination port 53
    3. put these rules above your allow any rule

    if your client is using allowed dns server it can ping www.google.com, if it's not using that then it can' ping it(or atleast ping doesn't pass through firewall ever)

    or you can make this with one rule.

    Block, tcp/udp, not, single host or alias, your allowed dns server, any source port, destination any, destination port 53



  • @Metu69salemi:

    if your client is using allowed dns server it can ping www.google.com, if it's not using that then it can' ping it(or atleast ping doesn't pass through firewall ever)

    Hummm… not exactly what i need but gave-me ideas.
    The scenario is: the client can configure any DNS server he wants, for example 216.239.32.10 (Google´s DNS) or even an invalid external DNS. When the connection come to pfSense it should redirect it for the DNS i want, example 216.239.34.10 (Google´s secondary DNS) or my internal DNS cache in another server 10.1.1.x.  The query must be completed in any way. This must be transparent for the clients.
    The PS is: port 53 must be open to 10.1.1.x, my internal DNS server, to complete his queries in the internet.  Pfsense is 10.1.1.y.
    Sometimes confusing...  :P

    Danilo



  • Just use dhcp and set there wanted dns server, as it usually does.



  • How i wonder to do that! By now, unfortunately, i must forget DHCP… Internal reasons. Even i don´t know why!



  • if you use dhcp server from pfsense, then it's easy
    Services:dhcp server and select correct interface.
    from there you can set dns server if you want something else to be used than pfsense



  • Yes, i know that… but my boss dreams with angels and i have to suffer.  :-[
    By now the problem is solved, tks all. He preferred to change all the clients manually, so i´ll suffer again in another way.

    Again, tks all that tried to help me.

    Danilo


Log in to reply