Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    DNS Access in DMZ

    NAT
    3
    3
    1751
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      stemond last edited by

      I have this situation

      PFSENSE –--> dmz (172.19.20.0/24)
      |
      |
      |
      lan (192.168.126.0/24)

      I am using NAT reflection on NAT rule (TCP/UDP #53) and i can't access to my DNS from my LAN. All other servers is ok. I have inserted rules on DNS interface to reach my DNS buti can't reach it.
      have you idea why ?

      Stefano

      1 Reply Last reply Reply Quote 0
      • johnpoz
        johnpoz LAYER 8 Global Moderator last edited by

        Confused about nat reflection.

        Access between your dmz segment and your normal lan segment would be just normal firewall rules.  There should be no nat involved - and not sure why you would have to use nat reflection to access anything in either of those segments?

        Just so on same page here, so you don't have pfsense providing dns.  You have some other name server running in the dmz segment, be it bind, or ms dns or unbound, etc.  And you want machines in lan segment to access this server.

        You mention other servers access fine – so why would you think access to the name server would be any different then say a http server, etc.  Just create the rules to allow traffic on tcp/udp 53 between your lan segment and your dmz segment.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-2440 2.4.5p1 | 4x SG-3100 2.4.4p3 | SG-4860 21.05.2

        1 Reply Last reply Reply Quote 0
        • jimp
          jimp Rebel Alliance Developer Netgate last edited by

          If your DNS server really does require NAT reflection, it won't work. NAT reflection is broken for UDP, and has been for years. (Check redmine.pfsense.org)

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • First post
            Last post

          Products

          • Platform Overview
          • TNSR
          • pfSense
          • Appliances

          Services

          • Training
          • Professional Services

          Support

          • Subscription Plans
          • Contact Support
          • Product Lifecycle
          • Documentation

          News

          • Media Coverage
          • Press
          • Events

          Resources

          • Blog
          • FAQ
          • Find a Partner
          • Resource Library
          • Security Information

          Company

          • About Us
          • Careers
          • Partners
          • Contact Us
          • Legal
          Our Mission

          We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

          Subscribe to our Newsletter

          Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

          © 2021 Rubicon Communications, LLC | Privacy Policy