pfSense

Doing this from LAN machine (remember, the redirection is supposed to happen on WLAN):

# dig www.google.com @8.8.8.8

; <<>> DiG 9.9.8-P4 <<>> www.seznam.cz @8.8.8.8
;; global options: +cmd
;; connection timed out; no servers could be reached

After disabling the NAT rule on WLAN interface, DNS resolution to outside DNS servers immediately works:

# dig @8.8.8.8 www.google.com

; <<>> DiG 9.9.8-P4 <<>> @8.8.8.8 www.google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20291
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.google.com.                        IN      A

;; ANSWER SECTION:
www.google.com.         299     IN      A       172.217.23.196

;; Query time: 23 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Dec 12 13:24:03 CET 2016
;; MSG SIZE  rcvd: 59

The rule from config.xml:

                <rule>
                        <source>
                                <any></any>
                        </source>
                        <destination>
                                <address>DNS_Servers</address>
                                <not></not>
                                <port>53</port>
                        </destination>
                        <protocol>tcp/udp</protocol>
                        <target>127.0.0.1</target>
                        <local-port>53</local-port>
                        <interface>opt2</interface>
                        <descr><![CDATA[Redirect all other DNS]]></descr>
                        <associated-rule-id>nat_584dd154030707.21365541</associated-rule-id>
                </rule>

Relevant stuff from /tmp/rules.debug:

# NAT Inbound Redirects
rdr on ath0_wlan0 proto { tcp udp } from any to ! $DNS_Servers port 53 -> 127.0.0.1
# Reflection redirect
rdr on { igb0 igb2 gif0 enc0 openvpn } proto { tcp udp } from any to ! $DNS_Servers port 53 -> 127.0.0.1

And yes, the output is from `pfctl -sn`

What options do you have configured for NAT Reflection under System > Advanced, Firewall & NAT?

Well perhaps this should be left open till it's somehow fixed, sending packets coming from completely unrelated interfaces to a blackhole certainly is completely unexpected and not a feature.

Jim Pingle wrote:

The best thing to do would be to set "NAT Reflection" = "Disable" in the settings for that NAT rule which will force it to the intended behavior. I'll update the wiki doc with that setting momentarily.

Thanks, this works.

There isn't anything to fix. Logically, it's acting as intended. That's what NAT reflection does -- it redirects anything that matches the destination on other local interfaces to the port forward target. As to why it didn't function, that may be due to settings in the DNS Resolver/Forwarder not answering queries for those other segments.

Either way, the 'fix' is to not use reflection with that type of rule.

The resolver is answering queries just fine on LAN. Until you set up a NAT rule on WLAN. Sorry, but this behavior is absurd and anything but logical.

P.S. The wiki article screenshotis missing the "Invert Match" checkbox.

Screenshot is fixed.

It may seem absurd to you but what else should it do? There isn't any programmatic way for it to know that isn't what you wanted it to do. It's a NAT rule, reflection was enabled, so it setup reflection rules as it was told to do. It was a configuration error, not a bug.

If the target was allowed to receive and process traffic in all other aspects (e.g. traffic not blocked to 127.0.0.1 on the other interfaces, resolver allowed to answer queries, etc), it would have functioned fine and reflected the traffic on all interfaces that received reflection rules.