Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    ISSUE WINDOWS 2012 AS PUBLIC DNS

    NAT
    4
    8
    1294
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      marcodv last edited by

      hello,
      we have a problem with pfsense and public dns in windows 2012.

      We're migrating from a Watchguard Firebox to pfSense with two different public networs (Firebox 81.208.x.x, pfsense 151.0.149.x).

      At the moment we have:

      • NS1 with new public ip natted to a Windows Server 2008 R2 from pfSense
      • NS2 with old public ip natted to a Windows Server 2012 R2 from Watchguard

      It seems to work correctly but…if we take offline one of the two NS (is the same: old one or new one) they STOP working...

      We've made a nat on pfsense from 1 Public IP (on WAN) to 1 internal ip (53 (DNS)  is it correct?

      1 Reply Last reply Reply Quote 0
      • V
        viragomann last edited by

        @marcodv:

        We've made a nat on pfsense from 1 Public IP (on WAN) to 1 internal ip (53 (DNS)  is it correct?

        If you have a public IP range, you have to ensure that the responds from DNS server are natted back to its public IP. You can do this with 1:1 NAT by just one rule for inbound and outbound packets.

        1 Reply Last reply Reply Quote 0
        • M
          muswellhillbilly last edited by

          @marcodv:

          It seems to work correctly but…if we take offline one of the two NS (is the same: old one or new one) they STOP working...

          Define "STOP working". Can you no longer query the DNS server(s) from outside or inside the network? Are you querying the public or private IPs, and if so from where? How have you set up routing on each of the name servers going out correctly? And what forwarders are the servers using - public DNS or name servers specific to each carrier (assuming you're using two different pipes)?

          1 Reply Last reply Reply Quote 0
          • M
            marcodv last edited by

            @viragomann:

            @marcodv:

            We've made a nat on pfsense from 1 Public IP (on WAN) to 1 internal ip (53 (DNS)  is it correct?

            If you have a public IP range, you have to ensure that the responds from DNS server are natted back to its public IP. You can do this with 1:1 NAT by just one rule for inbound and outbound packets.

            I've set up  1:1 NAT with inboud rule…but nothing happen!

            1 Reply Last reply Reply Quote 0
            • M
              marcodv last edited by

              @muswellhillbilly:

              @marcodv:

              It seems to work correctly but…if we take offline one of the two NS (is the same: old one or new one) they STOP working...

              Define "STOP working". Can you no longer query the DNS server(s) from outside or inside the network? Are you querying the public or private IPs, and if so from where? How have you set up routing on each of the name servers going out correctly? And what forwarders are the servers using - public DNS or name servers specific to each carrier (assuming you're using two different pipes)?

              I try to explain better:
              actually if I try to use public IP with nslookup from the internet and dns1 (behind pfsense) e dns2 (behind firebox) it works correctly.

              If I put offline dns1 or dns2 (removing default gateway from network adapter) nslookup stops working (request timeout).

              Thanks

              1 Reply Last reply Reply Quote 0
              • M
                muswellhillbilly last edited by

                This still isn't all that clear, but I'll try to answer based on what you've given us so far.

                If you are running a query for your domain where you've specified one or the other of your DNS servers as the POA for your public DNS information, then you may well get a timeout if you remove the gateway information from your WAN. If you're using one server to act as forwarder for the other, then again you may get a timeout error occurring. On the face of it, it does sound like you have some kind of dependency operating across your name servers, but without more information there's not much else I can suggest. You might also want to investigate the routing you have on each of your name servers (as already mentioned).

                1 Reply Last reply Reply Quote 0
                • johnpoz
                  johnpoz LAYER 8 Global Moderator last edited by

                  POA?  You mean SOA (source of authority) ?

                  So you have 2 2k12r2 boxes, and you have 2 wan with 2 different firewalls.. And these connect to different lans or same lan?

                  So you top or the bottom?

                  If your running 2 different ns for this domain, should not matter if the SOA goes offline if your directly doing queries to the 2nd one..  But sounds like maybe you have 1 in forward mode..  IF you turn off that one then it would fail, and query that one it would fail, but doing queries to the other one should be fine..

                  What is this public domain?  Can you PM it to me if you don't want to post it so I can see what is setup for the Name servers..


                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.05

                  1 Reply Last reply Reply Quote 0
                  • M
                    muswellhillbilly last edited by

                    @johnpoz:

                    POA?  You mean SOA (source of authority) ?

                    Sorry - wrote in a hurry and had a brief brain-melt. Yes - meant SOA.

                    Some information on what forwarders your name servers are each using would probably help, too.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post