On 4/29/2013 8:36 AM, Bryant Zimmerman wrote: > I have several vlans on a pfsense deployment. VLAN 100 has one of our > public DNS servers on it. I have a customer VLAN 2000 that needs to be > able to relay through the DNS server. The customers vlan is routed out > one block of address and our vlan is on another. > > The issue is we do not allow routing of private addresses between the > vlans so I need the customer vlan to be able to bounce out on it's > public address and back in on the public address of our DNS server. I > can pin correctly but port 53 DNS traffic is not working. I am really > stumped as to what is going on. If I open up a pinhole to the private > address it works but this against our security protocol. Is there > somthing special I might need to add to the outbound NAT rules to get > this to work?
You need to allow then to reach each other on the private IPs. No matter what you do, there is no way around that requirement, short of actually proxying the traffic with a daemon rather than NAT. There is practically zero benefit to the method you're attempting anyhow. Allow them to reach the private IPs of the target server and it will all work. You may need to enable NAT reflection (System > Advanced, Firewall/NAT) but even then, the firewall rules apply *after* NAT, so the target will always be the private IP of the server. The only way to achieve the kind of isolation you're after would be to have both of those be on completely separate firewalls so the firewalls have no direct knowledge of the NAT involved on the destination. A lot of trouble for a negligible security benefit. As for the 'proxy' method, you could use the built-in load balancer (relayd) to setup a balance "pool" of one server using a separate virtual server for each external IP doing DNS pointing back to the private server rather than doing NAT. relayd will actually proxy the traffic, terminating the connection on the firewall so the above NAT issues do not apply. However, you lose the source address of the DNS client in the process, so it's not all sunshine and rainbows... Just allow the traffic to the private IPs of the DNS servers and be done with it. Jim _______________________________________________ List mailing list [email protected] http://lists.pfsense.org/mailman/listinfo/list
