Results 1 to 7 of 7
  1. #1
    Untanglit
    Join Date
    Dec 2017
    Posts
    25

    Default Port Forward to two hosts?

    I've got two internal DNS servers (piholes) that I'm using. Lets say they're 192.168.0.5 and 192.168.0.6 I've created firewall rules to only allow DNS queries out to the internet from these two and created a port forward rule to forward to one of the piholes any requests out to port 53.

    Firewall rules:
    Destination port IS 53
    Protocol is UDP, TCP
    Source Address is 192.168.0.5
    Action: Pass

    Created a duplicate of the rule above for 192.168.0.6

    Next rule is to block DNS queries from my network from hitting the internet:

    Destination Port IS 53
    Protocol is UDP, TCP
    Destination is Any WAN
    Action: Block

    Then I have a port forward rule:
    Protocol is UDP,TCP
    Destination Port 53
    Destination Address is NOT 192.168.0.5
    Source Address is NOT 192.168.0.5
    Source Interface is: (I have two internal interfaces) Internal and WIFI
    New Destination 192.168.0.5
    New Port 53

    The problem is now that I have a single point of failure if 192.168.0.5 goes down. DNS won't work.

    Is there any way to port forward round robin style? I don't think there is.

    I've tried various combinations on the rules with no luck.

    Or is there a better way to do this?

  2. #2
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Lake Tahoe
    Posts
    9,655

    Default

    - Delete the port forward rule.
    - Change the WAN DNS settings to your DNS servers.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  3. #3
    Untanglit
    Join Date
    Dec 2017
    Posts
    25

    Default

    Thanks. I didn't know I could do that for the WAN interface.

    That made the rules simpler but it doesn't accomplish what I'm trying to do. I'm trying to stop internal machines from getting out to the internet for DNS queries. For example, I have a LG TV and some of the apps are hard coded to use googles DNS at 8.8.8.8. If I make this change then those apps won't work.

  4. #4
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,488

    Default

    The "round robin" is defined by the DHCP servers you pass out to your clients via DHCP.

    The port forward rule is irrelevant,and honestly dangerous. You just asked Untangle to grab UDP 53 requests leaving the network and redirect them to an internal server that is going to then make a UDP 53 request to the Internet!

    Have you seen what happens when a computer becomes a dog chasing its own tail? Not good!

    If you want to enforce pihole use, just make a firewall rule for anything destined to port 53 and set it to block. Then make two pass rules above it for your piholes.

    Junk that's hard coded will break, port forwarding is your only recourse, and no you cannot have multiple targets with a port forward.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  5. #5
    Untanglit
    Join Date
    Dec 2017
    Posts
    25

    Default

    Thanks sky-night. Thats what I thought. I'm trying to keep the hard coded devices working but I still want to control their DNS.

    I was thinking more about it and if there's only one or two systems doing the hard coded DNS then I could always create a forward rule from their IPs to port 53 to go to one of the piholes. Then if that pihole is down only those one or two systems would be down.

    Hmmmmm.......

  6. #6
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,488

    Default

    Yep, that'll work! But, the devices in question might just work with Google DNS blocked too.

    I have a general 53 block in place here, and my Google devices, FireTV, and Roku devices have all just worked. I do get block events from them in the firewall, but I've noticed no functionality loss.

    They are supposed to use the DNS servers passed by the DHCP server darn it! Standards mean stuff!
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  7. #7
    Untanglit
    Join Date
    Dec 2017
    Posts
    25

    Default

    I didn't put the port forward rule in but my LGTV. I also see blocks to 8.8.8.8 port 53 over and over but the apps on the LG are still working. I guess I'll leave it for now. Thanks guys for the quick responses.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2