Solved

PFsense port forward for DNS

Posted on 2014-12-28
5
292 Views
Last Modified: 2015-01-19
We currently have a PFsense 2.1.5 forwarding DNS requests to an internal DNS server whose default gateway is the PFsense firewall, this works correctly. There also is a ForefrontTMG firewall on a separate external address that forwards DNS requests to the internal DNS server, this works because TMG has the option to make the forwarded DNS packets appear to have come from the TMG internal address rather than the actual originating address.
 I'm replacing the TMG firewall with a second PFsense box. On this the DNS forwarding does not work as the default gateway on the DNS server points to the other PFsense box. Is there a way to make forwarded packets to appear to come from the PFsense box rather then the actual originating address?     TMG has the option but I can't find the equivalent option in PFSense

Thanks
harry
0
Comment
Question by:HWC003
  • 3
  • 2
5 Comments
 
LVL 23

Expert Comment

by:Mohammed Hamada
Comment Utility
Could you please elaborate more, the question is an unclear! what do you mean exactly by
On this the DNS forwarding does not work as the default gateway on the DNS server points to the other PFsense box.
0
 

Author Comment

by:HWC003
Comment Utility
FW1 internal address 10.2.200.230    External address  x.x.x.1
FW2 internal address 10.2.200.229    External address  x.x.x.2
DNS-SERVER-FOR-EXTERNAL  10.2.200.20       Default gateway 10.2.200.229               (we use split DNS)
Both firewalls port forward incoming DNS requests to 10.2.200.20 (DNS-SERVER-FOR-EXTERNAL)
A request comes in thru FW2, forwards to DNS-SERVER-FOR-EXTERNAL, which replies thru it's default gateway FW2
A request comes in thru FW1, forwards to DNS-SERVER-FOR-EXTERNAL, which since the request is from an external address,  replies thru it's default gateway FW2 which is the wrong path.
FW1 and FW2 are PfSense .  When FW1 was a Microsoft Forefront TMG there was an option to make the forwarded DNS request look like it came from the TMG, then the DNS server responded to the TMG instead of using the default route.
Basically SNAT. Can this be done on PfSense?
0
 
LVL 23

Expert Comment

by:Mohammed Hamada
Comment Utility
You can create a static nat on pfsense on http://yourpfsenseurl.com/firewall_nat_1to1.php ... but why don't you try and add persistent route on the DNS server ? It would act as a second gateway.

Open CMD as admin there and type this command
route add 0.0.0.0 MASK 0.0.0.0 10.2.200.230 METRIC 1 -p  then hit enter

Type route print and that will show you if it's there or not and then try to make a request and see how it would reply from the correct gateway or not.
0
 

Accepted Solution

by:
HWC003 earned 0 total points
Comment Utility
Added a second PFSense firewall and that worked changing routes didn't
0
 

Author Closing Comment

by:HWC003
Comment Utility
Suggestions did not work. Had to add second firewall  as problem appears to be unresolvable on a single pfsense application
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

This article describes how to use the timestamp of existing data in a database to allow Tableau to calculate the prior work day instead of relying on case statements or if statements to calculate the days of the week.
In our personal lives, we have well-designed consumer apps to delight us and make even the most complex transactions simple. Many enterprise applications, however, are a bit behind the times. For an enterprise app to be successful in today's tech wo…
This video will demonstrate how to find the puppet warp tool from the edit menu and where to put the points to edit.
The viewer will learn how to successfully download and install the SARDU utility on Windows 7, without downloading adware.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now