Hey guys,
Need some help with DNS queries behind a router. I set up a DNS server
in my network and it responds when I'm within my network. I tried
nslookup from localhost on the dns server and also from the LAN and it
works just find, but when I use the public IP of the router for the
network, which should forward the port to the DNS server, it says
"unexpected reply from 192.168.1.101, expected from the (public IP,
which I won't display in this email)." Does that mean the port
forwarding is working? I performed the query from the router itself
and it seems like it's working because 192.168.1.101 (The DNS server)
did respond. But with those weird responses, you never get a clear cut
answer; it just keeps saying the same thing: "unexpected reply from
192.168.1.101, expected from the..."
Here's the router's pf.conf:
# $OpenBSD: pf.conf,v 1.35 2008/02/29 17:04:55 reyk Exp $
#
# See pf.conf(5) and /usr/share/pf for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.
# macros
ext_if = "re0" # External Interface (169.229.158.0/24)
int_if = "xl0" # Internal Interface (192.168.1.0/24)
localnet = $int_if:network
webserver = "192.168.1.50" # Redundant Sun Servers
nameserver = "192.168.1.101" # Dell L400 Celeron
webports = "{ http , https }"
domainport = "{ domain }"
tcp_services = "{ ssh }"
icmp_types = "echoreq"
carpdevs = "{ carp0 , carp1 }"
syncdev = "{ re1 }"
carp_mcast = "224.0.0.18"
# extra tweaks
set skip on lo
set block-policy return
set loginterface $ext_if
scrub in all
# nat
nat on $ext_if from $localnet to any -> ($ext_if)
no nat on $int_if proto tcp from $int_if to $localnet
nat on $int_if proto tcp from $localnet to $webserver port $webports -> $int_if
# rdr for http
rdr on $ext_if proto tcp from any to any port $webports -> $webserver
rdr on $int_if proto tcp from $localnet to $ext_if port $webports -> $webserver
rdr on $int_if proto tcp from $localnet to $int_if port $webports -> $webserver
# rdr for domain (tcp)
rdr on $ext_if proto tcp from any to any port $domainport -> $nameserver
rdr on $int_if proto tcp from $localnet to $ext_if port $domainport ->
$nameserver
rdr on $int_if proto tcp from $localnet to $int_if port $domainport ->
$nameserver
# rdr for domain (udp)
rdr on $ext_if proto udp from any to any port $domainport -> $nameserver
rdr on $int_if proto udp from $localnet to $ext_if port $domainport ->
$nameserver
rdr on $int_if proto udp from $localnet to $int_if port $domainport ->
$nameserver
# pass rules
block in # Default Deny
pass out keep state
antispoof quick for { lo }
pass in inet proto icmp all icmp-type $icmp_types keep state # Let Ping In
pass in quick on $int_if
pass in on $ext_if inet proto tcp from any to ($ext_if) \
port $tcp_services flags S/SA keep state # Allow SSH Access from Outside
pass in on $ext_if inet proto tcp from any to $webserver port $webports \
flags S/SA synproxy state
pass in on $ext_if inet proto udp from any to $nameserver port $domainport
pass in on $ext_if inet proto tcp from any to $nameserver port $domainport \
flags S/SA synproxy state
# Basic CARP/pfsync pass rules
pass on $carpdevs proto carp keep state
pass quick on $ext_if proto carp \
from $ext_if:network to $carp_mcast keep state
pass on $syncdev proto pfsync
# Internet-Facing CARP rules
pass in on $ext_if inet proto tcp from any to (carp0) \
port $tcp_services flags S/SA keep state # Allow SSH Access from Outside
pass in on $ext_if inet proto tcp from any to (carp0) \
port $webports flags S/SA synproxy state
pass in on $ext_if inet proto udp from any to (carp0) \
port $domainport
pass in on $ext_if inet proto tcp from any to (carp0) \
port $domainport flags S/SA synproxy state
# LAN-Facing CARP rules
pass in on $int_if inet proto tcp from $localnet to (carp1) \
port $tcp_services flags S/SA keep state # Allow SSH Access from Inside
pass in on $int_if inet proto tcp from $localnet to (carp1) \
port $webports flags S/SA synproxy state
pass in on $int_if inet proto udp from $localnet to (carp1) \
port $domainport
pass in on $int_if inet proto tcp from $localnet to (carp1) \
port $domainport flags S/SA synproxy state
Thanks in advance,
Vivek
