Firewall rejecting inbound dns traffic to internal DNS server - SOLVED

cslewis1

Greetings all -

I'm new on these forums, but not at all to DNS, firewalls, firewall rulesets, NAT, routing, and etc.
I've done some searches and haven't found my issues.  Please be patient with me if this topic has
been covered before…

I have an internal DNS server, an external routable virtual IP, and 1:1 NAT from the external IP
to the internal DNS server.

I have firewall rules on the WAN interface from !Inside to internal DNS Server, allowing DNS traffic.

However, the logs say the firewall is denying all inbound DNS queries with the default deny rule.

All other firewall rules work perfectly using this approach, including http, https, imaps, and etc.
It is only DNS traffic that is being dropped.

I have turned OFF the dns resolver, as I don't want my firewall to answer any DNS queries, period.
I have entered the correct dns server IPs (both internal and external VIP) in the General Setup area.

This makes no sense to me at all.  I have done numerous numerous web searches, and have the
definitive guide book to pfsense in my lap.  Nothing over a week of searching and trying has
helped.

Any help and/or suggestions would be greatly appreciated.

My setup is basically this:  block of 16, with 13 usable IPs.  Firewall is off a cable modem.
External Firewall IP is static, not dynamic.  Cable company has updated reverse DNS appropriately
(at my request).  Firewall's IP is not used by any of the services.  I am using 1:1 NAT to
DNS server, Web server, SMTP server, etc.  As I said before, all of the other services work
perfectly.  Only DNS queries are being rejected.

Thanks!

cslewis1

Derelict

Post the rules you've done, not a description of what you think you've done.

Since you're using NAT, the destination of the pass rule on WAN needs to be the inside local address, not the inside global.

cslewis1

I am away from my home network right now, but basically, having reinstalled and re-done my firewall and network about five times in the past three weeks, I can post them from heart:

WAN interface, !DMZServers to xxx.xxx.2.2 port 53 tcp/udp allow.
NAT is 1:1, as I've said.  External VIP to 2.2.

(I also should say I don't know how to dump the ruleset and post it here.  But I'll do some research.)

DMZServers is an alias to a group of internal servers with IPs running from 2.2 to 2.8.

Yes, it did confuse me that one had to write a firewall rule to the internal LAN address, but I figured that out.
Like I said, ALL other services work.  The internal IP is a server with about 5 virtual IP addresses, some of
which the http server is bound to, the other is a mail server.

For example, 2.3 is http, 2.4 is http, 2.6 is smtp.

All firewall rules are like the above:  WAN interface, !LAN to 2.3, port http allow.

All of these work perfectly.

I'm thinking it has something to do with the firewall's DNS resolver, which is OFF as I've said.
It is completely ignoring the DNS firewall rule, which is identical in every way to the rules for
http, https, imaps, and etc.

Thanks!

Other interesting tidbits:  I can go to the system logs, filter on the denied DNS traffic, and have it automatically add a rule to the ruleset.  It comes up with just what I expected:  IP source to internal IP, DNS allow.  Nothing surprising.  The only difference between that and my rule is that my source is !DMZServers.  Not sure if this helps.

cslewis1

AUGH!

(Charlie Brown yell).

Found my problem:  rule for DNS was TCP only.  Sigh.  Changed to TCP/UDP and now it's working.

Sigh.  Very embarrassed.

kejianshi

Nope - Thats very good.  Easy fix.