Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 3 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 810 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Force DNS to LAN PiHole XG Home 19

joe shellen

I had this working in Untangle for years, then switched to OPNsense for a few weeks and got it working, now I've decided to go with Sophos but I'm stuck. (Loving Sophos XG, btw.) 

I have two PiHoles running on my LAN and want to force/redirect all LAN DNS/53 traffic to the PiHoles. I've searched and then tried several settings but I'm stuck - it's not working. I've figured out how to set the DNS for the interface and set the DNS for the DHCP, but some devices ignore those settings. Therefore, I'm trying to create a NAT rule that redirects all DNS/53 LAN traffic to the PiHoles. I'm not sure if there needs to be a NAT and Firewall Rule, or if NAT alone can enforce this, and then how to actually configure those rules??

Thank you!

JS



This thread was automatically locked due to age.
  • 0

    Hi Joe,

    you will need a firewall and a NAT, called a hairpin NAT. Now somewhere there is a KBA on the subject which I cannot find at the moment.

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0

    You tried a DNAT rule? (Would also probably need a Firewall rule to allow the traffic through.)

    I'm thinking you'd use System Host and choose the appropriate #port for your LAN port or bridge. Or you could use Network and specify your internal network... depending on your physical configuration and subnetting. And maybe check the box to create a Reflexive Rule? Essentially you want Source LAN to Dest WAN, but you can't use zones in the NAT rules (that I know of).

    Then you'd need a Firewall rule to allow (DNS) traffic LAN-LAN or LAN to your server (PiHole) subnet or whatever is appropriate.

    If rfcat_vk finds the KB that would be clearest. Gotta say that I tried a similar rule to redirect away from Google DNS to another provider's DNS and it did not go well for me, so take it with a grain of salt.

  • 0

    Hi joe,

    please read the attached link, it contains a thread from a previous discussion with lots of pointers to KBAs etc.

    https://community.sophos.com/sophos-xg-firewall/f/discussions/136283/xg-nat-loopback-question

    if after this you still have issues please advise and I will post screenshots of my NTP firewall and NAT rules.

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

Unfiltered HTML