DNS Access in DMZ



  • I have this situation

    PFSENSE –--> dmz (172.19.20.0/24)
    |
    |
    |
    lan (192.168.126.0/24)

    I am using NAT reflection on NAT rule (TCP/UDP #53) and i can't access to my DNS from my LAN. All other servers is ok. I have inserted rules on DNS interface to reach my DNS buti can't reach it.
    have you idea why ?

    Stefano


  • LAYER 8 Global Moderator

    Confused about nat reflection.

    Access between your dmz segment and your normal lan segment would be just normal firewall rules.  There should be no nat involved - and not sure why you would have to use nat reflection to access anything in either of those segments?

    Just so on same page here, so you don't have pfsense providing dns.  You have some other name server running in the dmz segment, be it bind, or ms dns or unbound, etc.  And you want machines in lan segment to access this server.

    You mention other servers access fine – so why would you think access to the name server would be any different then say a http server, etc.  Just create the rules to allow traffic on tcp/udp 53 between your lan segment and your dmz segment.


  • Rebel Alliance Developer Netgate

    If your DNS server really does require NAT reflection, it won't work. NAT reflection is broken for UDP, and has been for years. (Check redmine.pfsense.org)


Log in to reply