Port forwarding

Started by Christophe999s, August 29, 2025, 09:56:32 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
August 29, 2025, 09:56:32 AM
Hi,
I've noticed some strange behaviour with port forwarding.
Following port forwarding rule is configured:

Interface: vlans 10, 30, 100
IPv4
TCP/UDP
Source: Any
Destination Invert: X
Destination: This Firewall
Destination Port: 53
Target IP: 127.0.0.1
Target Port: 53

What I expect in this case, is that the DNS traffic is redirected on vlans 10,30 and 100 to Unbound with some blocklists, but not on any others.
When I check this, connected to vlan 40 (9.9.9.9 and 2620:fe::fe configured), I see the following result:

IPv6 working fine
❯ dig cloudflare-dns.com a -6

; <<>> DiG 9.10.6 <<>> cloudflare-dns.com a -6
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46859
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;cloudflare-dns.com. IN A

;; ANSWER SECTION:
cloudflare-dns.com. 87 IN A 104.16.248.249
cloudflare-dns.com. 87 IN A 104.16.249.249

;; Query time: 16 msec
;; SERVER: 2620:fe::fe#53(2620:fe::fe)
;; WHEN: Fri Aug 29 09:38:56 CEST 2025
;; MSG SIZE  rcvd: 79

But not IPv4, where traffic is being forwarded to Unbound, even though the rule shouldn't be active on that interface:
❯ dig cloudflare-dns.com a -4

; <<>> DiG 9.10.6 <<>> cloudflare-dns.com a -4
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53622
;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;cloudflare-dns.com. IN A

;; ANSWER SECTION:
cloudflare-dns.com. 3600 IN A 0.0.0.0

;; Query time: 90 msec
;; SERVER: 9.9.9.9#53(9.9.9.9)
;; WHEN: Fri Aug 29 09:38:02 CEST 2025
;; MSG SIZE  rcvd: 63

Only when I configure a source with the vlan 10, 30 and 100 subnets in the port forward rule, it doesn't redirect the DNS traffic to unbound:
❯ dig cloudflare-dns.com a -4

; <<>> DiG 9.10.6 <<>> cloudflare-dns.com a -4
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27779
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;cloudflare-dns.com. IN A

;; ANSWER SECTION:
cloudflare-dns.com. 290 IN A 104.16.249.249
cloudflare-dns.com. 290 IN A 104.16.248.249

;; Query time: 96 msec
;; SERVER: 9.9.9.9#53(9.9.9.9)
;; WHEN: Fri Aug 29 09:40:29 CEST 2025
;; MSG SIZE  rcvd: 79

Is this normal and/or am I missing something? I don't think a source would have to be configured, since you make a selection of interfaces where this rule should be applied.
August 29, 2025, 12:46:19 PM #1
No, port forward rules should only be applied to traffic coming in on the interfaces they are defined on.

So possibly the traffic even is coming on one of the other interfaces?
Run a packet capture on VLAN 40 and the others to verify this.
August 29, 2025, 01:43:45 PM #2
The traffic shows up in the firewall log on vlan40, as well as on a pcap. Not seeing the same traffic appear on any other interface.
Firewall log

Pcap on macbook

Pcap on vlan40
Print
Go Up Pages1
User actions