• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Portforwarding problems with port 53

Scheduled Pinned Locked Moved NAT
7 Posts 2 Posters 2.1k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • N
    nmd
    last edited by Feb 5, 2015, 12:17 PM Feb 5, 2015, 12:11 PM

    Hi

    First message and a problem.

    I´ve been having some problems with pfsense and port-forwarding on port 53 to one of my dns servers on LAN interface.

    On pfsense version 2.1 everything worked until november. And then it stopped. So I decided to wait for the next release and do a clean/new install.

    did that so the version is now 2.2 x64. I have contacted my ISP and they are not blocking port 53.

    I have set i three port-forwarding rules see attachment.

    The icmp and 3389 rule working perfect. And the 3389 was just for testing. but the port 53/dns rule is not working at all.

    DNS Forwarder and DNS Resolver is disabled. The NAT method is pure nat.

    The DNS Server is working and responds on port 53.

    I have worked through the port-forwarding troubleshooting.

    I have run out of ides almost.  Where is the config file for port-forwarding located?

    Anyone any ideas?

    /nmd

    1 Reply Last reply Reply Quote 0
    • J
      johnpoz LAYER 8 Global Moderator
      last edited by Feb 5, 2015, 12:48 PM

      What does the nat reflection method have to do with this??  So your testing from inside your network to your public IP?

      Did you have someone test from actual outside?  if you followed the troubleshooting guide, did you see packets on your wan?  Are they forwarded on your lan to your dns box?  Simple packet captures shows us this.

      What is your dns server?  Ah clearly windows if you stated rdp worked to the same box.  What is the settings on the windows firewall?  You allowing for queries from other than your local network?

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 24.11 | Lab VMs 2.8, 24.11

      1 Reply Last reply Reply Quote 0
      • N
        nmd
        last edited by Feb 5, 2015, 5:17 PM Feb 5, 2015, 3:53 PM

        I have tested from the outside and it did not forward. So then i tested from the inside and it worked!

        Yes it´s a windows server. And It has not been changed since a year back.

        Yes port 53 is open and working and  queris from other network is allowed.

        Will post loggs later of firewall

        1 Reply Last reply Reply Quote 0
        • J
          johnpoz LAYER 8 Global Moderator
          last edited by Feb 5, 2015, 9:24 PM

          well lets see the packet captures..  Either the packets are there and didn't get forwarded, or they are not there.  Not sure why those were not posted from the get go since you say you walked through the troubleshooting guide

          step 5 would give you the definitive source of the problem.

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          1 Reply Last reply Reply Quote 0
          • N
            nmd
            last edited by Feb 9, 2015, 7:21 PM

            didn't have any log with me at the time.

            but I have just made a portscan on port 53 on my ip from ipfingerprints.com.

            –---------------------------------------
            LOG Packet Capture

            19:51:26.680499 00:0c:29:97:c8:25 > 00:1b:0d:ee:98:c0, ethertype IPv4 (0x0800),

            length 95: (tos 0x0, ttl 127, id 1833, offset 0, flags [none], proto UDP (17),

            length 81)
                ..*.71.31741 > 195.54.122.200.53: [udp sum ok] 14198+% [1au] A?

            e9476.ksd.akamaiedge.net. ar: . OPT UDPsize=4000 OK (53)
            19:51:26.762633 00:1b:0d:ee:98:c0 > 00:0c:29:97:c8:25, ethertype IPv4 (0x0800),

            length 111: (tos 0x0, ttl 58, id 59601, offset 0, flags [none], proto UDP (17),

            length 97)
                195.54.122.200.53 > ..*.71.31741: [udp sum ok] 14198 q: A?

            e9476.ksd.akamaiedge.net. 1/0/1 e9476.ksd.akamaiedge.net. A 69.192.64.38 ar: .

            OPT UDPsize=4096 OK (69)

            1 Reply Last reply Reply Quote 0
            • J
              johnpoz LAYER 8 Global Moderator
              last edited by Feb 9, 2015, 9:40 PM

              dude what part do you not understand about sniffing on the wan and the lan and doing a query to your nameserver??

              What is your public IP?  PM it to me.. And I will see if it answers on 53.

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              1 Reply Last reply Reply Quote 0
              • J
                johnpoz LAYER 8 Global Moderator
                last edited by Feb 10, 2015, 5:04 PM

                So that IP answers ping, but no dns - not udp or tcp, don't even get a syn,ack if try tcp.

                So either the traffic is not even getting to you for dns, or your forwards are wrong..

                If you sniff on your wan I can send queries that you would see, and then on your lan you should see pfsense send on the traffic and your box respond.  This is really click click sort of stuff.  I can pm my IP to you so you know what IP to be looking for as you can see in the bottom pics starts with 24.13

                So look, click click port forward tcp/udp 53 to my box running bind.  Now it has NO ACLs to allow queries from the public net, but you see that it answers with REFUSED.  So connectivity is there.

                then the next too are sniffs on the wan interface showing my remote box doing a query and getting an answer.  And If I snff on the lan you see the remote being sent on to my private IP 192.168.1.7 and it answering.

                porforwarddns.png
                queryanswred.png
                sniffwan.png
                snifflan.png
                porforwarddns.png_thumb
                queryanswred.png_thumb
                sniffwan.png_thumb
                snifflan.png_thumb

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                1 out of 7
                • First post
                  1/7
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                  This community forum collects and processes your personal information.
                  consent.not_received