Solved

PFsense port forward for DNS

Posted on 2014-12-28
5
314 Views
Last Modified: 2015-01-19
We currently have a PFsense 2.1.5 forwarding DNS requests to an internal DNS server whose default gateway is the PFsense firewall, this works correctly. There also is a ForefrontTMG firewall on a separate external address that forwards DNS requests to the internal DNS server, this works because TMG has the option to make the forwarded DNS packets appear to have come from the TMG internal address rather than the actual originating address.
 I'm replacing the TMG firewall with a second PFsense box. On this the DNS forwarding does not work as the default gateway on the DNS server points to the other PFsense box. Is there a way to make forwarded packets to appear to come from the PFsense box rather then the actual originating address?     TMG has the option but I can't find the equivalent option in PFSense

Thanks
harry
0
Comment
Question by:HWC003
  • 3
  • 2
5 Comments
 
LVL 23

Expert Comment

by:Mohammed Hamada
ID: 40522638
Could you please elaborate more, the question is an unclear! what do you mean exactly by
On this the DNS forwarding does not work as the default gateway on the DNS server points to the other PFsense box.
0
 

Author Comment

by:HWC003
ID: 40523017
FW1 internal address 10.2.200.230    External address  x.x.x.1
FW2 internal address 10.2.200.229    External address  x.x.x.2
DNS-SERVER-FOR-EXTERNAL  10.2.200.20       Default gateway 10.2.200.229               (we use split DNS)
Both firewalls port forward incoming DNS requests to 10.2.200.20 (DNS-SERVER-FOR-EXTERNAL)
A request comes in thru FW2, forwards to DNS-SERVER-FOR-EXTERNAL, which replies thru it's default gateway FW2
A request comes in thru FW1, forwards to DNS-SERVER-FOR-EXTERNAL, which since the request is from an external address,  replies thru it's default gateway FW2 which is the wrong path.
FW1 and FW2 are PfSense .  When FW1 was a Microsoft Forefront TMG there was an option to make the forwarded DNS request look like it came from the TMG, then the DNS server responded to the TMG instead of using the default route.
Basically SNAT. Can this be done on PfSense?
0
 
LVL 23

Expert Comment

by:Mohammed Hamada
ID: 40523278
You can create a static nat on pfsense on http://yourpfsenseurl.com/firewall_nat_1to1.php ... but why don't you try and add persistent route on the DNS server ? It would act as a second gateway.

Open CMD as admin there and type this command
route add 0.0.0.0 MASK 0.0.0.0 10.2.200.230 METRIC 1 -p  then hit enter

Type route print and that will show you if it's there or not and then try to make a request and see how it would reply from the correct gateway or not.
0
 

Accepted Solution

by:
HWC003 earned 0 total points
ID: 40549276
Added a second PFSense firewall and that worked changing routes didn't
0
 

Author Closing Comment

by:HWC003
ID: 40557300
Suggestions did not work. Had to add second firewall  as problem appears to be unresolvable on a single pfsense application
0

Featured Post

Courses: Start Training Online With Pros, Today

Brush up on the basics or master the advanced techniques required to earn essential industry certifications, with Courses. Enroll in a course and start learning today. Training topics range from Android App Dev to the Xen Virtualization Platform.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article describes how to use the timestamp of existing data in a database to allow Tableau to calculate the prior work day instead of relying on case statements or if statements to calculate the days of the week.
Healthcare organizations in the United States must adhere to the guidance of both the HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act) for securing and protec…
The viewer will learn how to set up a document for the web and print and the recommended PPI for printing.
The viewer will learn how to successfully download and install the SARDU utility on Windows 7, without downloading adware.

786 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question