Solved

PFsense port forward for DNS

Posted on 2014-12-28
5
393 Views
Last Modified: 2015-01-19
We currently have a PFsense 2.1.5 forwarding DNS requests to an internal DNS server whose default gateway is the PFsense firewall, this works correctly. There also is a ForefrontTMG firewall on a separate external address that forwards DNS requests to the internal DNS server, this works because TMG has the option to make the forwarded DNS packets appear to have come from the TMG internal address rather than the actual originating address.
 I'm replacing the TMG firewall with a second PFsense box. On this the DNS forwarding does not work as the default gateway on the DNS server points to the other PFsense box. Is there a way to make forwarded packets to appear to come from the PFsense box rather then the actual originating address?     TMG has the option but I can't find the equivalent option in PFSense

Thanks
harry
0
Comment
Question by:HWC003
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 24

Expert Comment

by:Mohammed Hamada
ID: 40522638
Could you please elaborate more, the question is an unclear! what do you mean exactly by
On this the DNS forwarding does not work as the default gateway on the DNS server points to the other PFsense box.
0
 

Author Comment

by:HWC003
ID: 40523017
FW1 internal address 10.2.200.230    External address  x.x.x.1
FW2 internal address 10.2.200.229    External address  x.x.x.2
DNS-SERVER-FOR-EXTERNAL  10.2.200.20       Default gateway 10.2.200.229               (we use split DNS)
Both firewalls port forward incoming DNS requests to 10.2.200.20 (DNS-SERVER-FOR-EXTERNAL)
A request comes in thru FW2, forwards to DNS-SERVER-FOR-EXTERNAL, which replies thru it's default gateway FW2
A request comes in thru FW1, forwards to DNS-SERVER-FOR-EXTERNAL, which since the request is from an external address,  replies thru it's default gateway FW2 which is the wrong path.
FW1 and FW2 are PfSense .  When FW1 was a Microsoft Forefront TMG there was an option to make the forwarded DNS request look like it came from the TMG, then the DNS server responded to the TMG instead of using the default route.
Basically SNAT. Can this be done on PfSense?
0
 
LVL 24

Expert Comment

by:Mohammed Hamada
ID: 40523278
You can create a static nat on pfsense on http://yourpfsenseurl.com/firewall_nat_1to1.php ... but why don't you try and add persistent route on the DNS server ? It would act as a second gateway.

Open CMD as admin there and type this command
route add 0.0.0.0 MASK 0.0.0.0 10.2.200.230 METRIC 1 -p  then hit enter

Type route print and that will show you if it's there or not and then try to make a request and see how it would reply from the correct gateway or not.
0
 

Accepted Solution

by:
HWC003 earned 0 total points
ID: 40549276
Added a second PFSense firewall and that worked changing routes didn't
0
 

Author Closing Comment

by:HWC003
ID: 40557300
Suggestions did not work. Had to add second firewall  as problem appears to be unresolvable on a single pfsense application
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Skype is a P2P (Peer to Peer) instant messaging and VOIP (Voice over IP) service – as well as a whole lot more.
In this article, you will read about the trends across the human resources departments for the upcoming year. Some of them include improving employee experience, adopting new technologies, using HR software to its full extent, and integrating artifi…
Using Adobe Premiere Pro, the viewer will learn how to set up a sequence with proper settings, importing pictures, rendering, and exporting the finished product.
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Suggested Courses

622 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question