hi all,
i have a DNS server behind NATed router. It is hosting top level domain for organization and it is primary dns server. ISP is hosting secundary zone, zone replication is allowed for that ISPs ip address.
Dstnat rules are configured for requests from outside, UDP 53 from WAN ip to LAN ip and works ok.
When i try to transfer zone to secundary DNS, it is not allowed until under allowed servers in primary DNS server i put local ip of the router.
But then zone transfer is allowed to everyone because source ip of request is 192.168.0.253 and destination is ip of DNS server, 192.168.0.251.
Maybe here lays catch!
When i put out-int on default masq rule, Outlook clients cannot connect to mail server. So, i was forced to leave it in this condition.
Maybe? For sure. This rule #0 will masquerade every single connection coming through router, no matter what source or destination it has. It’s in most cases not what you want. If your Outlook clients can’t connect without it, you need to fix server config (it most likely allows them to connect only from local subnet and not from internet). Alternatively, if you can’t fix the server, you can add masquerade rule for traffic to server and ports used by Outlooks clients. Then limit default masquerade to WAN and leave other traffic alone.
Btw, if rule #3 is used for connecting to 85.10.x.y from LAN, then you don’t need it. Just remove in-interface=ether1 from rule #1 and it will work for both internet and local connections.
I agree with Sob, definitely need to lock rule #0 down more and figure out the cause for the Outlook failure and fix it separately.
As it is now, any device on your networks is going to see outside initiated traffic as coming from the local router interface IP instead of their real IP, including the outside DNS backup server. This makes fire-walling difficult and confusing at best.