I’m a keen security/network hobbyist and always interested to try out different FW/router distros.
My home network is pretty decent size and my network edge consists of the following devices:
(Internet) -> cable modem/bridge (stripped out of all the other features) -> first firewall: pfSense -> second firewall: IPfire -> router/WAP: DD-WRT (with DHCP for LAN) -> core switch -> followed by rest of the LAN devices (SIEM, servers, desktops etc.).
I just bought new hardware (Protectli FW2B) as my second firewall and I would like to place it right after my first FW (pfSense). I’ve been trying to install various FW distros into it and I get them all installed fine, but I encounter the same problem every time when trying them out:
My DNS gets broken in my new FW and it simply can’t make any name resolutions. Pinging external IP addresses (e.g. 18.104.22.168) works fine and all services in my LAN which doesn’t require any DNS resolutions works fine. I like IPfire and I would like to set it up as my second FW after pfSense.
I’ve set static IPs with /29 bit mask between my pfSense and the new FW (IPfire). No DHCP service between these two FWs and I haven’t configured anything else in my new IPfire. I can make name resolutions from pfSense, but not with any other device behind it (e.g. from my freshly installed IPfire). Therefore I believe the culprit must be my pfSense FW which seems to somehow block or not forward any name resolutions.
I’ve tried various solutions e.g. I tried to make DNS NAT rule (port 53) from pfSense to IPfire, tried setting up various third-party resolvers in IPfire (e.g. 22.214.171.124, 126.96.36.199 etc.), tried enabling DNSsec in both firewalls, tried enabling “DNS forwarder” from pfSense (which I’m not even sure how it works), tried disabling/enabling DNS resolver from pfSense (in hope that my IPfire would start resolving names) etc. etc.
Nothing has worked and I just can’t figure out what to do next. To me it sounds like the my pfSense is somehow blocking all the name resolutions but it’s very puzzling, because this blocking happens only after I install my second FW after pfSense. I have had my DD-WRT router behind my pfSense for years without any problems (BTW: However, if I happen to install DD-WRT in my new Protectli HW as a second FW/router, then this new DD-WRT faces the same DNS problem as IPfire).
I’m desperate for any help. Any suggestions?? I’m not a DNS guru but I’m eager to learn. Thanks a lot!!