Check your bind config. It's likely not configured to respond to
non-local network IP addresses.
On 11/15/08, Vivek Ayer <[EMAIL PROTECTED]> wrote:
> Hey guys,
>
> Need some help with DNS queries behind a router. I set up a DNS server
> in my network and it responds when I'm within my network. I tried
> nslookup from localhost on the dns server and also from the LAN and it
> works just find, but when I use the public IP of the router for the
> network, which should forward the port to the DNS server, it says
> "unexpected reply from 192.168.1.101, expected from the (public IP,
> which I won't display in this email)." Does that mean the port
> forwarding is working? I performed the query from the router itself
> and it seems like it's working because 192.168.1.101 (The DNS server)
> did respond. But with those weird responses, you never get a clear cut
> answer; it just keeps saying the same thing: "unexpected reply from
> 192.168.1.101, expected from the..."
>
> Here's the router's pf.conf:
>
> # $OpenBSD: pf.conf,v 1.35 2008/02/29 17:04:55 reyk Exp $
> #
> # See pf.conf(5) and /usr/share/pf for syntax and examples.
> # Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
> # in /etc/sysctl.conf if packets are to be forwarded between interfaces.
>
> # macros
> ext_if = "re0" # External Interface (169.229.158.0/24)
> int_if = "xl0" # Internal Interface (192.168.1.0/24)
> localnet = $int_if:network
> webserver = "192.168.1.50" # Redundant Sun Servers
> nameserver = "192.168.1.101" # Dell L400 Celeron
> webports = "{ http , https }"
> domainport = "{ domain }"
> tcp_services = "{ ssh }"
> icmp_types = "echoreq"
> carpdevs = "{ carp0 , carp1 }"
> syncdev = "{ re1 }"
> carp_mcast = "224.0.0.18"
>
> # extra tweaks
> set skip on lo
> set block-policy return
> set loginterface $ext_if
> scrub in all
>
> # nat
> nat on $ext_if from $localnet to any -> ($ext_if)
> no nat on $int_if proto tcp from $int_if to $localnet
> nat on $int_if proto tcp from $localnet to $webserver port $webports ->
> $int_if
>
> # rdr for http
> rdr on $ext_if proto tcp from any to any port $webports -> $webserver
> rdr on $int_if proto tcp from $localnet to $ext_if port $webports ->
> $webserver
> rdr on $int_if proto tcp from $localnet to $int_if port $webports ->
> $webserver
>
> # rdr for domain (tcp)
> rdr on $ext_if proto tcp from any to any port $domainport -> $nameserver
> rdr on $int_if proto tcp from $localnet to $ext_if port $domainport ->
> $nameserver
> rdr on $int_if proto tcp from $localnet to $int_if port $domainport ->
> $nameserver
>
> # rdr for domain (udp)
> rdr on $ext_if proto udp from any to any port $domainport -> $nameserver
> rdr on $int_if proto udp from $localnet to $ext_if port $domainport ->
> $nameserver
> rdr on $int_if proto udp from $localnet to $int_if port $domainport ->
> $nameserver
>
> # pass rules
> block in # Default Deny
> pass out keep state
> antispoof quick for { lo }
> pass in inet proto icmp all icmp-type $icmp_types keep state # Let Ping In
> pass in quick on $int_if
> pass in on $ext_if inet proto tcp from any to ($ext_if) \
> port $tcp_services flags S/SA keep state # Allow SSH Access from Outside
> pass in on $ext_if inet proto tcp from any to $webserver port $webports \
> flags S/SA synproxy state
> pass in on $ext_if inet proto udp from any to $nameserver port $domainport
> pass in on $ext_if inet proto tcp from any to $nameserver port $domainport \
> flags S/SA synproxy state
>
> # Basic CARP/pfsync pass rules
> pass on $carpdevs proto carp keep state
> pass quick on $ext_if proto carp \
> from $ext_if:network to $carp_mcast keep state
> pass on $syncdev proto pfsync
>
> # Internet-Facing CARP rules
> pass in on $ext_if inet proto tcp from any to (carp0) \
> port $tcp_services flags S/SA keep state # Allow SSH Access from Outside
> pass in on $ext_if inet proto tcp from any to (carp0) \
> port $webports flags S/SA synproxy state
> pass in on $ext_if inet proto udp from any to (carp0) \
> port $domainport
> pass in on $ext_if inet proto tcp from any to (carp0) \
> port $domainport flags S/SA synproxy state
>
> # LAN-Facing CARP rules
> pass in on $int_if inet proto tcp from $localnet to (carp1) \
> port $tcp_services flags S/SA keep state # Allow SSH Access from Inside
> pass in on $int_if inet proto tcp from $localnet to (carp1) \
> port $webports flags S/SA synproxy state
> pass in on $int_if inet proto udp from $localnet to (carp1) \
> port $domainport
> pass in on $int_if inet proto tcp from $localnet to (carp1) \
> port $domainport flags S/SA synproxy state
>
>
> Thanks in advance,
> Vivek
