On Monday, April 29, 2013, Yehuda Katz wrote: > Short reply since I am on a mobile device: NAT Relection > > On Monday, April 29, 2013, Bryant Zimmerman wrote: > >> I have several vlans on a pfsense deployment. VLAN 100 has one of our >> public DNS servers on it. I have a customer VLAN 2000 that needs to be able >> to relay through the DNS server. The customers vlan is routed out one block >> of address and our vlan is on another. >> >> The issue is we do not allow routing of private addresses between the >> vlans so I need the customer vlan to be able to bounce out on it's public >> address and back in on the public address of our DNS server. I can pin >> correctly but port 53 DNS traffic is not working. I am really stumped as to >> what is going on. If I open up a pinhole to the private address it works >> but this against our security protocol. Is there somthing special I might >> need to add to the outbound NAT rules to get this to work? >> >> Thank >> Bryant >> >> >> I am going to have to disagree with my brother on this one.
While it looks similar to the NAT Reflection problem, the fact that the vlans are using separate public address blocks implies that the problem is a more subtle one with routing. Because the pfsense knows that it has both addresses, the route to go from one to the other is probably set (by default) to not go out to the Internet. You can confirm this by looking at the routes page in the web interface. To fix it, you need to add a route manually to tell it to send the traffic out on the Internet instead of directly from one vlan to the other. Moshe -- -- Moshe Katz -- [email protected] -- +1(301)867-3732
_______________________________________________ List mailing list [email protected] http://lists.pfsense.org/mailman/listinfo/list
