Hi guys,
I’m a keen security/network hobbyist and always interested to try out different FW/router distros.
My home network is pretty decent size and my network edge consists of the following devices:
(Internet) -> cable modem/bridge (stripped out of all the other features) -> first firewall: pfSense -> second firewall: IPfire -> router/WAP: DD-WRT (with DHCP for LAN) -> core switch -> followed by rest of the LAN devices (SIEM, servers, desktops etc.).
I just bought new hardware (Protectli FW2B) as my second firewall and I would like to place it right after my first FW (pfSense). I’ve been trying to install various FW distros into it and I get them all installed fine, but I encounter the same problem every time when trying them out:
My DNS gets broken in my new FW and it simply can’t make any name resolutions. Pinging external IP addresses (e.g. 8.8.8.8) works fine and all services in my LAN which doesn’t require any DNS resolutions works fine. I like IPfire and I would like to set it up as my second FW after pfSense.
I’ve set static IPs with /29 bit mask between my pfSense and the new FW (IPfire). No DHCP service between these two FWs and I haven’t configured anything else in my new IPfire. I can make name resolutions from pfSense, but not with any other device behind it (e.g. from my freshly installed IPfire). Therefore I believe the culprit must be my pfSense FW which seems to somehow block or not forward any name resolutions.
I’ve tried various solutions e.g. I tried to make DNS NAT rule (port 53) from pfSense to IPfire, tried setting up various third-party resolvers in IPfire (e.g. 9.9.9.9, 1.1.1.1 etc.), tried enabling DNSsec in both firewalls, tried enabling “DNS forwarder” from pfSense (which I’m not even sure how it works), tried disabling/enabling DNS resolver from pfSense (in hope that my IPfire would start resolving names) etc. etc.
Nothing has worked and I just can’t figure out what to do next. To me it sounds like the my pfSense is somehow blocking all the name resolutions but it’s very puzzling, because this blocking happens only after I install my second FW after pfSense. I have had my DD-WRT router behind my pfSense for years without any problems (BTW: However, if I happen to install DD-WRT in my new Protectli HW as a second FW/router, then this new DD-WRT faces the same DNS problem as IPfire).
I’m desperate for any help. Any suggestions?? I’m not a DNS guru but I’m eager to learn. Thanks a lot!!
Hi Peter,
thanks a lot for replying! I did run the dig commands, but as expected, my IPFire is unable to make any name resolutions. I tried setting up various third-party resolvers in IPfire (e.g. 9.9.9.9, 1.1.1.1 etc.), but it didn’t work (Reverse lookup failed). Even recursor mode doesn’t work (status: broken). Below are the results (192.168.xx.xx is my pfSense).
I’m just wondering, that has anyone else got their IPFire (or any other FW for that matter) to resolve names when they are behind pfSense? My pfSense has default DNS settings. I haven’t changed anything related to DNS settings (except all the testing I mentioned earlier, which I did return to default after the tests).
; <<>> DiG 9.11.19 <<>> soa www.ipfire.org
;; global options: +cmd
;; connection timed out; no servers could be reached
[root@IPfire ~]# dig soa dnssec-failed.org
; <<>> DiG 9.11.19 <<>> soa dnssec-failed.org
;; global options: +cmd
;; connection timed out; no servers could be reached
[root@IPfire ~]# dig soa www.ipfire.org@192.168.xx.xx
; <<>> DiG 9.11.19 <<>> soa www.ipfire.org@192.168.xx.xx
;; global options: +cmd
;; connection timed out; no servers could be reached
[root@IPfire ~]# dig soa dnssec-failed.org@192.168.xx.xx
; <<>> DiG 9.11.19 <<>> soa dnssec-failed.org@192.168.xx.xx
;; global options: +cmd
;; connection timed out; no servers could be reached
this is interesting. Since I have no idea about pfSense’s default DNS settings, I can only poke around…
Are there any corresponding packet filter logs on the pfSense machine? Either way: Does the pfSense forum itself contain some advice on what to do here?
Hi Peter!
Thanks for replying. I have struggled with this issue for a long time now in Netgate’s pfSense forum and I’m afraid there’s not much I can do anymore.
My posts in pfSense forum can be found here:
If you’d have any more tips to share, I’m all ears. Thank you.
Thanks a lot!!
