0

I've encountered a problem when port-forwarding a DNS server using PFSense. I've pf'd many services on this same firewall, only am I unable to port forward a DNS server.

DIG dns using local address:

root@hfr-nl-dns01:~# dig A a-domain.test @10.10.30.28

; <<>> DiG 9.11.3-1ubuntu1.13-Ubuntu <<>> A a-domain.test @10.10.30.28
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62603
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;a-domain.test.                        IN      A

;; ANSWER SECTION:
a-domain.test.         60      IN      A       <public ip>

;; Query time: 4 msec
;; SERVER: 10.10.30.28#53(10.10.30.28)
;; WHEN: Sat Sep 19 12:53:10 UTC 2020
;; MSG SIZE  rcvd: 59

But when I try to ask the same on the port-forwarded IP:

root@hfr-nl-dns01:~# dig A a-domain.test @<another public ip>

; <<>> DiG 9.11.3-1ubuntu1.13-Ubuntu <<>> A a-domain.test @<another public ip>
;; global options: +cmd
;; connection timed out; no servers could be reached

I've tried using dig on another machine in the network, and it does respond like I am used it to, so has nothing to do with binding to an IP as far as I can see.

My Pfsense NAT PF:

interface: corrosponds to the interface the virtual IP is on
protocol: TCP/UDP (Because PowerDNS requires TCP aswell)
Destination: The virtual IP that I want this to be hosted on
Destination port range: From DNS to DNS

Redirect target IP: 10.10.30.28 (The dns machine)
redirect target port: DNS

I've tried turning NAT reflection to "Enabled (NAT + Proxy)", only it didn't help.

Does anybody have an idea what I can check to see why DNS isn't port forwarded?

Koen Vuurens
  • 31
  • 1
  • 6
  • Does it work from the other network? Ie, is it only a "reflection" problem? – Håkan Lindqvist Sep 19 '20 at 17:03
  • I'm not sure what you mean with the other network. But yes, it does work within the same subnet, tried from different machines. – Koen Vuurens Sep 19 '20 at 18:08
  • I don't know enough about your environment to be able to tell what network that is more than whatever network *the interface the virtual IP is on* is for. – Håkan Lindqvist Sep 19 '20 at 18:11
  • 1
    (If that is for hosts on the Internet, that is what I mean as the other network to test from.) – Håkan Lindqvist Sep 19 '20 at 18:12
  • How should I clarify it for you? I can't really think of a way @HåkanLindqvist – Koen Vuurens Sep 19 '20 at 18:12
  • 1
    What I wonder is simply: Does it work from other networks? The inherent problem of *NAT reflection* tends to make it more difficult to make this type of thing work from the same network compared to from other networks. It would just be good to try to pinpoint what the problem is. – Håkan Lindqvist Sep 19 '20 at 18:17
  • It does work from other networks. So we can pinpoint the issue to NAT reflection – Koen Vuurens Sep 19 '20 at 18:25
  • 1
    Figured it out, it was NAT reflection. Changed it to NAT reflection: Enable (Pure NAT) and it worked. Thanks @HåkanLindqvist! – Koen Vuurens Sep 19 '20 at 18:46

1 Answers1

1

After some troubleshooting it was pinpointed to NAT reflection, which was set to the system default option. After changing it to "Enable (Pure NAT)" it worked as expected.

Koen Vuurens
  • 31
  • 1
  • 6