NAT outbound port translation

[wk]

Hello,

I'm running an authoritative DNS server behind an opnsense firewall. I've created a port forwarding for port 53 to my primary DNS server and added the necessary firewall rules. That part works. When using the DNS protocol, the clients expects to receive the response from the public IP and the port 53 otherwise the request fails:

Unexpected source: $PUBLIC_IP#54, expected $PUBLIC_IP#53

Therefore I created an outbound NAT rule:

Interface: WAN
Protocol: UDP
Source: Internal_IP of DNS server
Source port: 5300 (the DNS server runs on that port)
Destination: any
Destination port: any
Translation/target: PUBLIC_IP
Translation/port: 53

But the rule doesn't work. When I use another port as the translation port, like 54, I can see the rule being executed in the firewall live log. When I use a port, that is used in an active port forwarding rule, the NAT outbound rule is not executed (according to the log) and I receive a timeout error and find a state like "NO_TRAFFIC:SINGLE", doesn't matter which port (so there is not interference the the enabled unbound DNS that is running on the opnsense as a recursive resolver).

I suspect, that there is an issue with the order of the NAT rules being executed, that causes loop and I have to mark the outbound traffic somehow to ignore any port forwarding.

Thank you for your assistance!

[kryptonian]

Are you sure your internet provider is not dropping outbound port 53?

[wk]

Yes. I can successfully add an outbound rule to translate to port 53, when I change the inbound (port forwarding) rule to another port. But that is not acceptable for the DNS protocol:

nslookup -port=54 example.com PUBLIC_IP
;; reply from unexpected source: PUBLIC_IP#53, expected PUBLIC_IP#54