Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 452
  • Last Modified:

PFsense port forward for DNS

We currently have a PFsense 2.1.5 forwarding DNS requests to an internal DNS server whose default gateway is the PFsense firewall, this works correctly. There also is a ForefrontTMG firewall on a separate external address that forwards DNS requests to the internal DNS server, this works because TMG has the option to make the forwarded DNS packets appear to have come from the TMG internal address rather than the actual originating address.
 I'm replacing the TMG firewall with a second PFsense box. On this the DNS forwarding does not work as the default gateway on the DNS server points to the other PFsense box. Is there a way to make forwarded packets to appear to come from the PFsense box rather then the actual originating address?     TMG has the option but I can't find the equivalent option in PFSense

Thanks
harry
0
HWC003
Asked:
HWC003
  • 3
  • 2
1 Solution
 
Mohammed HamadaSenior IT ConsultantCommented:
Could you please elaborate more, the question is an unclear! what do you mean exactly by
On this the DNS forwarding does not work as the default gateway on the DNS server points to the other PFsense box.
0
 
HWC003Author Commented:
FW1 internal address 10.2.200.230    External address  x.x.x.1
FW2 internal address 10.2.200.229    External address  x.x.x.2
DNS-SERVER-FOR-EXTERNAL  10.2.200.20       Default gateway 10.2.200.229               (we use split DNS)
Both firewalls port forward incoming DNS requests to 10.2.200.20 (DNS-SERVER-FOR-EXTERNAL)
A request comes in thru FW2, forwards to DNS-SERVER-FOR-EXTERNAL, which replies thru it's default gateway FW2
A request comes in thru FW1, forwards to DNS-SERVER-FOR-EXTERNAL, which since the request is from an external address,  replies thru it's default gateway FW2 which is the wrong path.
FW1 and FW2 are PfSense .  When FW1 was a Microsoft Forefront TMG there was an option to make the forwarded DNS request look like it came from the TMG, then the DNS server responded to the TMG instead of using the default route.
Basically SNAT. Can this be done on PfSense?
0
 
Mohammed HamadaSenior IT ConsultantCommented:
You can create a static nat on pfsense on http://yourpfsenseurl.com/firewall_nat_1to1.php ... but why don't you try and add persistent route on the DNS server ? It would act as a second gateway.

Open CMD as admin there and type this command
route add 0.0.0.0 MASK 0.0.0.0 10.2.200.230 METRIC 1 -p  then hit enter

Type route print and that will show you if it's there or not and then try to make a request and see how it would reply from the correct gateway or not.
0
 
HWC003Author Commented:
Added a second PFSense firewall and that worked changing routes didn't
0
 
HWC003Author Commented:
Suggestions did not work. Had to add second firewall  as problem appears to be unresolvable on a single pfsense application
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now