Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DNS Access in DMZ

    Scheduled Pinned Locked Moved NAT
    3 Posts 3 Posters 2.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      stemond
      last edited by

      I have this situation

      PFSENSE –--> dmz (172.19.20.0/24)
      |
      |
      |
      lan (192.168.126.0/24)

      I am using NAT reflection on NAT rule (TCP/UDP #53) and i can't access to my DNS from my LAN. All other servers is ok. I have inserted rules on DNS interface to reach my DNS buti can't reach it.
      have you idea why ?

      Stefano

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        Confused about nat reflection.

        Access between your dmz segment and your normal lan segment would be just normal firewall rules.  There should be no nat involved - and not sure why you would have to use nat reflection to access anything in either of those segments?

        Just so on same page here, so you don't have pfsense providing dns.  You have some other name server running in the dmz segment, be it bind, or ms dns or unbound, etc.  And you want machines in lan segment to access this server.

        You mention other servers access fine – so why would you think access to the name server would be any different then say a http server, etc.  Just create the rules to allow traffic on tcp/udp 53 between your lan segment and your dmz segment.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • jimpJ
          jimp Rebel Alliance Developer Netgate
          last edited by

          If your DNS server really does require NAT reflection, it won't work. NAT reflection is broken for UDP, and has been for years. (Check redmine.pfsense.org)

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.