RESOLVED - DNS (dig) query to server behind pfSense firewall fail

  • I guess everyone believes their problem is different, but I have read literally hundreds of messages here and cannot see the clues that specifically deal with what I am encountering;

    My system:

    publicIP/29 block (6) >> Billion 7800N (lan = publicIP1) >> VirtualBox Host (ubuntu 12.04) 8 nic's
                                                                                 pfSense Guest1 (v2.0.3) with 5 interfaces assigned
                                                                                 wan1 = publicIP2
                                                                                 wan2 = publicIP3
                                                                                 wan3 = publicIP4
                                                                                 lan1 = intsubnet1 >> lan machines
                                                                                 lan2 = intsubnet2 >> lan machines (dmz1, dmz2, etc)
                                                                                 pfSense Guest2 with 4 interfaces
                                                                                 (similar configuration to above)

    The issue:

    One of the lan machines (dmz1) on the internal subnet 2 is a Ubuntu 12.04 that is a domain service provider for mail (ports 25, 110) and authoritative dns (port 53).
    On the pfSense router I have set NAT forwarding from wan3 (publicIP3) to destination internal server dmz1
    I can ping all IP addresses from everywhere;
      all public IP's are visible inbound and outbound,
      all internal IP's are visible from the pfSense routers,
    I can telnet publicIP3 25 - and get the correct response from the internal server dmz1
    I can telnet publicIP3 110 - and get the correct response from the internal server dmz1
    I can telnet publicIP3 53 - and get a 'connected' response from the internal server dmz1
    I can dig @dmz1 mydomain - and get the correct response from the dns server
    When I dig @publicIP3 mydomain - I get 'connection timed out, no servers could be reached'

    I have not meddled with the dns forwarder in pfSense, being of the mind that this is just a matter of passing queries from an external IP to an internal IP and handing back results that are similar in practice to the telnet actions that are working correctly.

    So my expertise is wanting somewhat to understand what might need to be different for dns queries (dig) to work correctly.

    I have tried different variations of wan gateways for the multiple public IPs.
    Initially, set just wan1 with a gateway to the Billion router (its lanIP = publicIP1), results as indicated above.
    Then added a gateway for wan3 being wan1IP (pfSense would not allow the upstream router IP), results did not change.

    Should I be looking at other parts of the pfSense configuration


    as an afterthought, the NAT forwarding is TCP/UDP, but does not alter dig query if UDP only, but does impact telnet.

  • Seems the problem was of my own making and nothing to do with the pfSense firewall at all.
    The linux firewall on the host machine behind the pfSense router was the problem.
    The firewall entries that I had for mail and dns appeared to me to be identical in structure, but that was not the case.  The dns entry for port 53 was only permitting known associated Ip addresses, and blocking packets from the internet.  When I deleted the host firewall entry and recreated with source 'any' the responses to the dig query from outside were returned through the pfSense router.

    So I had jumped off in the wrong direction.

    All is good now.

Log in to reply