Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Portforwarding problems with port 53

    Scheduled Pinned Locked Moved NAT
    7 Posts 2 Posters 2.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      nmd
      last edited by

      Hi

      First message and a problem.

      I´ve been having some problems with pfsense and port-forwarding on port 53 to one of my dns servers on LAN interface.

      On pfsense version 2.1 everything worked until november. And then it stopped. So I decided to wait for the next release and do a clean/new install.

      did that so the version is now 2.2 x64. I have contacted my ISP and they are not blocking port 53.

      I have set i three port-forwarding rules see attachment.

      The icmp and 3389 rule working perfect. And the 3389 was just for testing. but the port 53/dns rule is not working at all.

      DNS Forwarder and DNS Resolver is disabled. The NAT method is pure nat.

      The DNS Server is working and responds on port 53.

      I have worked through the port-forwarding troubleshooting.

      I have run out of ides almost.  Where is the config file for port-forwarding located?

      Anyone any ideas?

      /nmd

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        What does the nat reflection method have to do with this??  So your testing from inside your network to your public IP?

        Did you have someone test from actual outside?  if you followed the troubleshooting guide, did you see packets on your wan?  Are they forwarded on your lan to your dns box?  Simple packet captures shows us this.

        What is your dns server?  Ah clearly windows if you stated rdp worked to the same box.  What is the settings on the windows firewall?  You allowing for queries from other than your local network?

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • N
          nmd
          last edited by

          I have tested from the outside and it did not forward. So then i tested from the inside and it worked!

          Yes it´s a windows server. And It has not been changed since a year back.

          Yes port 53 is open and working and  queris from other network is allowed.

          Will post loggs later of firewall

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            well lets see the packet captures..  Either the packets are there and didn't get forwarded, or they are not there.  Not sure why those were not posted from the get go since you say you walked through the troubleshooting guide

            step 5 would give you the definitive source of the problem.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • N
              nmd
              last edited by

              didn't have any log with me at the time.

              but I have just made a portscan on port 53 on my ip from ipfingerprints.com.

              –---------------------------------------
              LOG Packet Capture

              19:51:26.680499 00:0c:29:97:c8:25 > 00:1b:0d:ee:98:c0, ethertype IPv4 (0x0800),

              length 95: (tos 0x0, ttl 127, id 1833, offset 0, flags [none], proto UDP (17),

              length 81)
                  ..*.71.31741 > 195.54.122.200.53: [udp sum ok] 14198+% [1au] A?

              e9476.ksd.akamaiedge.net. ar: . OPT UDPsize=4000 OK (53)
              19:51:26.762633 00:1b:0d:ee:98:c0 > 00:0c:29:97:c8:25, ethertype IPv4 (0x0800),

              length 111: (tos 0x0, ttl 58, id 59601, offset 0, flags [none], proto UDP (17),

              length 97)
                  195.54.122.200.53 > ..*.71.31741: [udp sum ok] 14198 q: A?

              e9476.ksd.akamaiedge.net. 1/0/1 e9476.ksd.akamaiedge.net. A 69.192.64.38 ar: .

              OPT UDPsize=4096 OK (69)

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                dude what part do you not understand about sniffing on the wan and the lan and doing a query to your nameserver??

                What is your public IP?  PM it to me.. And I will see if it answers on 53.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator
                  last edited by

                  So that IP answers ping, but no dns - not udp or tcp, don't even get a syn,ack if try tcp.

                  So either the traffic is not even getting to you for dns, or your forwards are wrong..

                  If you sniff on your wan I can send queries that you would see, and then on your lan you should see pfsense send on the traffic and your box respond.  This is really click click sort of stuff.  I can pm my IP to you so you know what IP to be looking for as you can see in the bottom pics starts with 24.13

                  So look, click click port forward tcp/udp 53 to my box running bind.  Now it has NO ACLs to allow queries from the public net, but you see that it answers with REFUSED.  So connectivity is there.

                  then the next too are sniffs on the wan interface showing my remote box doing a query and getting an answer.  And If I snff on the lan you see the remote being sent on to my private IP 192.168.1.7 and it answering.

                  porforwarddns.png
                  queryanswred.png
                  sniffwan.png
                  snifflan.png
                  porforwarddns.png_thumb
                  queryanswred.png_thumb
                  sniffwan.png_thumb
                  snifflan.png_thumb

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.