Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

PFsense port forward for DNS

Posted on 2014-12-28
5
327 Views
Last Modified: 2015-01-19
We currently have a PFsense 2.1.5 forwarding DNS requests to an internal DNS server whose default gateway is the PFsense firewall, this works correctly. There also is a ForefrontTMG firewall on a separate external address that forwards DNS requests to the internal DNS server, this works because TMG has the option to make the forwarded DNS packets appear to have come from the TMG internal address rather than the actual originating address.
 I'm replacing the TMG firewall with a second PFsense box. On this the DNS forwarding does not work as the default gateway on the DNS server points to the other PFsense box. Is there a way to make forwarded packets to appear to come from the PFsense box rather then the actual originating address?     TMG has the option but I can't find the equivalent option in PFSense

Thanks
harry
0
Comment
Question by:HWC003
  • 3
  • 2
5 Comments
 
LVL 24

Expert Comment

by:Mohammed Hamada
ID: 40522638
Could you please elaborate more, the question is an unclear! what do you mean exactly by
On this the DNS forwarding does not work as the default gateway on the DNS server points to the other PFsense box.
0
 

Author Comment

by:HWC003
ID: 40523017
FW1 internal address 10.2.200.230    External address  x.x.x.1
FW2 internal address 10.2.200.229    External address  x.x.x.2
DNS-SERVER-FOR-EXTERNAL  10.2.200.20       Default gateway 10.2.200.229               (we use split DNS)
Both firewalls port forward incoming DNS requests to 10.2.200.20 (DNS-SERVER-FOR-EXTERNAL)
A request comes in thru FW2, forwards to DNS-SERVER-FOR-EXTERNAL, which replies thru it's default gateway FW2
A request comes in thru FW1, forwards to DNS-SERVER-FOR-EXTERNAL, which since the request is from an external address,  replies thru it's default gateway FW2 which is the wrong path.
FW1 and FW2 are PfSense .  When FW1 was a Microsoft Forefront TMG there was an option to make the forwarded DNS request look like it came from the TMG, then the DNS server responded to the TMG instead of using the default route.
Basically SNAT. Can this be done on PfSense?
0
 
LVL 24

Expert Comment

by:Mohammed Hamada
ID: 40523278
You can create a static nat on pfsense on http://yourpfsenseurl.com/firewall_nat_1to1.php ... but why don't you try and add persistent route on the DNS server ? It would act as a second gateway.

Open CMD as admin there and type this command
route add 0.0.0.0 MASK 0.0.0.0 10.2.200.230 METRIC 1 -p  then hit enter

Type route print and that will show you if it's there or not and then try to make a request and see how it would reply from the correct gateway or not.
0
 

Accepted Solution

by:
HWC003 earned 0 total points
ID: 40549276
Added a second PFSense firewall and that worked changing routes didn't
0
 

Author Closing Comment

by:HWC003
ID: 40557300
Suggestions did not work. Had to add second firewall  as problem appears to be unresolvable on a single pfsense application
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The article will include the best Data Recovery Tools along with their Features, Capabilities, and their Download Links. Hope you’ll enjoy it and will choose the one as required by you.
Skype is a P2P (Peer to Peer) instant messaging and VOIP (Voice over IP) service – as well as a whole lot more.
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…

789 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question