Solved pf NAT with local DNS server

JohnnySorocil

JohnnySorocil

Is it possible to have NAT but to use local DNS server (unbound) on one host?

I have a FreeBSD router which is connected to Internet. Clients connects to that router via another WLAN interface. That works fine.
Buy I am trying to use unbound daemon run on that router to do some basic filtering. That works fine but only from that router. WLAN clients can't use that DNS server.

Best I can do is to redirect DNS to another external DNS in pf.conf:
Code: 
rdr log on $int_if inet proto {tcp, udp} from any to any port domain -> 1.1.1.1



If I try to redirect it to 127.0.0.1 or 192.168.11.1 (address of the router, unbound listen on that address and on 127.0.0.1) and issue "ping www.opendns.org":
Code: 
pf.conf:
rdr pass log on $int_if proto {tcp, udp} from any to any port domain -> 127.0.0.1
rdr pass log on $int_if proto {tcp, udp} from any to any port domain -> 192.168.11.1

pflog:
00:00:12.880126 rule 1/0(match): rdr in on wlan0: 192.168.11.2.64436 > 127.0.0.1.53: 47724+ A? www.opendns.org. (33)

unbound.log:
- nothing

Is that possible with pf?
Redirections cannot reflect packets back through the interface they
arrive on, they can only be redirected to hosts connected to different
interfaces or to the firewall itself.
Click to expand...
forums.freebsd.org

PF - Redirect all local outbound traffic

I've been searching high and low for days and I'm 100% stuck with PF. Essentially I want to take all of my local, outbound HTTP(S) traffic and redirect it to a local proxy on 127.0.0.1:7777. I've tried every rdr, rdr-to, nat-to, nat on combo I came across and none of them seem to work. Could...
forums.freebsd.org forums.freebsd.org
kpa said:
PF can not redirect traffic that originates from the host itself because the routing decision for the traffic has been already made by the time it gets to the filter. It's a FreeBSD specific limitation that does not exist on OpenBSD's PF for example.
Click to expand...

Can I use alias on the interface and then redirect? Something else?
 
Instead of redirect it's better to use DHCP to give the clients the DNS settings that you want and deny all other DNS servers for the LAN. This will force all clients to use only your DNS service unless they are making some VPN to outside.
 
I believe your problem is not with pf but rather with unbound only listening on the local loopback interface thus providing it's service to the local machine only.
Section 29.7.2 DNS Server Configuration of the FreeBSD handbook states:
Unbound is provided in the FreeBSD base system. By default, it will provide DNS resolution to the local machine only. While the base system package can be configured to provide resolution services beyond the local machine, it is recommended that such requirements be addressed by installing Unbound from the FreeBSD Ports Collection.
Click to expand...
In order to provide DNS services to your network you would need to configure unbound to also isten on your LAN/WLAN interfaces. Your pf needs to pass DNS traffic destined to your LAN/WLAN interfaces, and if you want to enforce use of your on-site DNS server it should block any DNS traffic originating from your LAN/WLAN and destined to any other address than your DNS server. And as VladiBG already pointed out, your clients should be configured to use your on-site DNS server by means of DHCP.
 
Thanks for the replies!
Problem was in my configuration of unbound, I missed part with allowing clients to make queries to my DNS:
Code: 
access-control: 192.168.1.0/24 allow

After adding that part and restarting DNS server, it is working as intended :)
 
You must log in or register to reply here.
Back
Top