OPNsense Forum

Archive => 17.1 Legacy Series => Topic started by: abel408 on March 21, 2017, 07:48:09 pm

Title: Internal NAT hosts not being resolved correctly from Public DNS Servers
Post by: abel408 on March 21, 2017, 07:48:09 pm

Hello all,

I have an odd situation. I have many 1-1 NAT rules for internal hosts. These all work correctly unless you are trying to reach the NAT host from within the network using a public DNS server such as Googles (8.8.8.8, 8.8.4.4).

With NAT reflection enabled, the host just times out
With NAT reflection disabled, I get a A potential DNS Rebind attack has been detected message.
If I disable DNS rebinding checks, I am prompted with the OPNSense login screen for some reason.

I'm pretty sure that in both cases, the traffic is just getting to the OPNSense box and displaying the web server from it instead of the internal NAT host.

Title: Re: Internal NAT hosts not being resolved correctly from Public DNS Servers
Post by: abel408 on March 22, 2017, 07:56:43 pm

Any thoughts on this? Has anyone set up anything like this before?

Ok, so this has something to do with the way Virtual IPs are set up. To me, virtual IPs are confusing and I'm not sure why they are needed with NAT. NAT seems to work without them, but documentation says I need them. Here is what is going on:

OPNsense box has virtual IP of 77.77.77.77
OPNsense box has NAT rule of 77.77.77.77 -> 192.168.0.50

External host 88.88.88.88 connects to internal host 192.168.0.50 through the NAT rule

Internal host 192.168.0.51 attempts to connect to 192.168.0.50 using DNS name example.com. Google's DNS server resolves this to be 77.77.77.77 so the internal host attempts to connect to 77.77.77.77, but because the OPNSense box has a virtual IP of 77.77.77.77, it connects to the opnsense box instead of 192.168.0.50.


How can I fix this behavior?

Title: Re: Internal NAT hosts not being resolved correctly from Public DNS Servers
Post by: cryptochrome on March 22, 2017, 11:08:18 pm

I don't have an answer for you, but why are you trying to reach your internal hosts from internal through their public IPs?

You could set up host overrides in your DNS Forwarder so that it resolves the internal IP of your server from the internal network. No need to go through the firewall.

Title: Re: Internal NAT hosts not being resolved correctly from Public DNS Servers
Post by: abel408 on March 23, 2017, 02:15:57 pm

We have a Public WiFi connection for BYOD. I've always set them up with a public DNS server so that they are forced to hit the same firewall that someone outside our network would hit. I've changed this so that they now see our internal DNS and I've created special firewall rules to only allow access to certain internal servers. Same effect, just more work... Oh well.