On 2013-04-29 08:47, Jim Pingle wrote:
On 4/29/2013 8:36 AM, Bryant Zimmerman wrote:
I have several vlans on a pfsense deployment. VLAN 100 has one of
our
public DNS servers on it. I have a customer VLAN 2000 that needs to
be
able to relay through the DNS server. The customers vlan is routed
out
one block of address and our vlan is on another.
The issue is we do not allow routing of private addresses between
the
vlans so I need the customer vlan to be able to bounce out on it's
public address and back in on the public address of our DNS server.
I
can pin correctly but port 53 DNS traffic is not working. I am
really
stumped as to what is going on. If I open up a pinhole to the
private
address it works but this against our security protocol. Is there
somthing special I might need to add to the outbound NAT rules to
get
this to work?
You need to allow then to reach each other on the private IPs. No
matter
what you do, there is no way around that requirement, short of
actually
proxying the traffic with a daemon rather than NAT.
There is practically zero benefit to the method you're attempting
anyhow. Allow them to reach the private IPs of the target server and
it
will all work. You may need to enable NAT reflection (System >
Advanced,
Firewall/NAT) but even then, the firewall rules apply *after* NAT, so
the target will always be the private IP of the server.
The only way to achieve the kind of isolation you're after would be
to
have both of those be on completely separate firewalls so the
firewalls
have no direct knowledge of the NAT involved on the destination. A
lot
of trouble for a negligible security benefit.
As for the 'proxy' method, you could use the built-in load balancer
(relayd) to setup a balance "pool" of one server using a separate
virtual server for each external IP doing DNS pointing back to the
private server rather than doing NAT. relayd will actually proxy the
traffic, terminating the connection on the firewall so the above NAT
issues do not apply. However, you lose the source address of the DNS
client in the process, so it's not all sunshine and rainbows...
Just allow the traffic to the private IPs of the DNS servers and be
done
with it.
Jim
One other possibility, which I'm using right now in a similar
situation: use a VPN client on the PC whose end-point is in the remote
non-routable network. It's a much bigger security hole (in real life)
than allowing direct communication between the DNS server and the PC,
but it might not be specifically contraindicated by your security
policy, in which case you might be able to implement this.
-Adam Thompson
[email protected]
_______________________________________________
List mailing list
[email protected]
http://lists.pfsense.org/mailman/listinfo/list
