pfSense

Good evening,

To be clear upfront, this is not currently impacting me any longer. I decided to write up the details anyway in case there might be a link to unresolved Issue #11436 (State matching problem with reponses to packets arriving on non-default WANs) that is still being investigated.

I was testing unexpected behaviour with the following NAT setup to redirect DNS traffic to ensure it travels over secure DNS on port 853. Relevant screenshots are attached below.

• Interface 1 is named LAN_Bridge_23 and has IP 10.32.64.1.
• Interface 2 is named LAN4_Sys and has IP 10.32.80.1.
• Each interface had NAT rules configured to redirect all incoming DNS traffic intended for other destinations, to instead go to the pfSense interface IP for that subnet. So any DNS traffic coming in on LAN_Bridge_23 should be repointed to 10.32.64.1, and anything coming in on LAN4_Sys should go to 10.32.80.1.
• Firewall rules were configured to block other DNS traffic as a backup.

I was experiencing some odd DNS failures, which I found were caused by pfSense NATing the DNS requests to the wrong interface IP. DNS requests coming in on LAN_Bridge_23 that should have gone to 10.32.64.1 were instead being directed to LAN4_Sys's 10.32.80.1. Also vice versa, DNS traffic coming in from LAN4_Sys which should have gone to 10.32.80.1 was being sent to LAN_Bridge_23's 10.32.64.1. I added a new Firewall rule to allow and log this traffic. Screenshot of the firewall log showing this below.

In reading further the pfSense documentation on DNS redirection, I found that my NAT rules had missed the documented step of setting NAT reflection mode to Disable. Once I set the DNS NAT rules to reflection mode Disable as specified, the traffic was no longer sent to the wrong interface address, and I no longer needed the extra rule to permit traffic to other non-local-interface firewall IPs.

Having NAT reflection turned on originally for these rules was a mistake on my part. However, I'm not sure that the behaviour I experienced was the expected result, even with NAT reflection incorrectly turned on. This may just be a lack of understanding of NAT reflection on my part. In case it matters, my pfSense system default NAT reflection mode is set for Pure NAT.