notempty
- DNS Relay for a WireGuard site-to-site tunnel
- Correction of the port filter rule for OpenVPN site-to-site tunnels
- Korrektur der Portfilterregel (Quelle und Ziel waren falsch)
Introduction
In this scenario, the UTM and clients of a remote site are to be connected to the domain at the main site.
- All DNS requests for the domain to the DNS server, through the VPN tunnel, are forwarded to the main site.
- The UTM shall provide DNS for the clients in the remote site.
- Requests for the domain network shall be forwarded in the VPN tunnel to the DNS server in the main site.
Creating the DNS Relay Zone
Set the nameserver of the firewall
The first step is to set the nameserver of the firewall.
In the Primary nameserver field, enter 127.0.0.1 as the IP (localhost). Click on the button.
Create DNS Relay
Tab Zones
The next step is to create a relay zone.
- Open the Zones tab in the Nameserver window.
- Click on the button to create a new relay zone
- Under Zone name: enter the desired domain name
- Select as Type:
- Click on the button to enter the IP address of the nameserver
- Under IP address: the IP address of the remote nameserver is entered
In order to use this, the dialog Add Relay Zone and the dialog Nameserver.
After creating the relay zone, the firewall forwards all requests to the DNS server at the main site on the domain network.
DNS Relay for an IPSec Site-to-Site Tunnel
In order to forward internal domain requests to a remote nameserver that is on an IPSec network, note that by default, all direct requests addressed to external nameservers are sent from the firewall with the external IP. However, a public IP is not routed into an IPSec tunnel.
Create network object
Tab Network objects
The port filter rules in the Implied rules are automatically activated. This means that no network object is yet available for the IPSec network.
| The following objects are preconfigured at delivery: | Network object | associated interface object |  |
|---|---|---|---|
 Internet |
 external-interface
| ||
 internal-network |
internal-interface
| ||
| only with min. 3 existing interfaces | dmz1-network |
dmz1-interface
| |
| In order to create the appropriate network object, click on the Network objects button under the tab. | |||
| Caption | Value | Description |  |
| Name: | IPSec-Network | Name for the IPSec network | |
| Type: | Choose VPN network | ||
| Address: | 192.168.8.0/24 | IP address of the IPSec network | |
| Zone: | Select the corresponding VPN IPSec zone | ||
| Groups: | a corresponding group can be entered | ||
Click , or to save this network object.
After the network object is created, is clicked.
Create a rule
Tab Add rule Button
The last step is to create a firewall rule with a Hide NAT.
This causes DNS forwarding to also go to the tunnel and not directly to the Internet.
| Labeling | Value |  |
|---|---|---|
| Active: | On | |
| Source: | external-interface
| |
| Destination: |  IPSec-Network
| |
| Service: |  domain-udp
| |
| Action: | ||
[-] NAT
| ||
| Type: | ||
| Network object: | internal-interface
| |
Click or to save this rule.
With this rule, all domain UDP requests made through the firewall to the remote nameserver are natted over the IP of the internal interface and can thus be routed into the IPSec tunnel.
DNS Relay for an OpenVPN Site-to-Site Tunnel
In order to forward internal domain requests to a remote nameserver located in an OpenVPN network, note that by default all direct requests directed to external nameservers are send from the firewall with the external IP. However, a public IP is not routed into an OpenVPN tunnel.
Create zone
In order to route the DNS requests into the OpenVPN tunnel, a new interface zone must be created on the UTM.
A new zone is created with the button.
| Caption | Value | Description |  |
|---|---|---|---|
| Name: | Site-to-Site-DNS-Relay | Name for the interface zone | |
| Interface: | tun0 | Select the corresponding interface tunX | |
| Interface: | On | Enable FLAG Interface for this zone | |
Create Open-VPN network objects
Tab Network objects
The port filter rules in the Implied rules are automatically activated. This means that no network object is yet available for the Open-VPN network.
| The following objects are preconfigured at delivery: | Network object | associated interface object | |
|---|---|---|---|
| Internet |
external-interface
| ||
| internal-network |
internal-interface
| ||
| only with min. 3 existing interfaces | dmz1-network |
dmz1-interface
| |
| In order to create the appropriate network object, click on the Network objects button under the tab. | |||
| Caption | Value | Description |  |
| Name: | DNS-Relay-Interface | Name for the Open VPN network | |
| Type: | Select dynamic interface | ||
| Interface: | select this interface | ||
| Zone: | Select the corresponding Open VPN zone | ||
| Groups: | a corresponding group can be entered | ||
Click , or to save this network object.
After the network object is created, is clicked.
Create rule
Tab Add rule Button
The last step is to create a firewall rule with a Hide NAT.
This causes DNS forwarding to also go to the tunnel and not directly to the Internet.
| Labeling | Value | Datei:UTM v12.3.6 Firewall Portfilterregel DNS Relay -en.png |
|---|---|---|
| Active: | On | |
| Source: | DNS-Relay-Interface
| |
| Destination: |  Remote-DNS-Server
| |
| Service: |  dns
| |
| Action: | ||
[-] NAT
| ||
| Type: | Optional if domain controller does not want to respond to requests from the transfer network | |
| Network object: | internal-interface
| |
Click or to save this rule.
DNS Relay for a WireGuard Site-to-Site Tunnel
The internal domain requests can also be forwarded to a remote nameserver located in a WireGuard network. The configuration of such a scenario requires an existing WireGuard site-to-site VPN (S2S) connection.
Create zone
Button
In order to route the DNS requests into the WireGuard tunnel, a new interface zone must be created on the UTM.
| Caption | Value | Description |  |
|---|---|---|---|
| Name: | WireGuard-S2S-DNS-Relay | Name for the interface zone | |
| Interface: | wg0 | Select the corresponding WireGuard interface wg0 | |
| Interface: | On | Enable FLAG Interface for this zone | |
Create WireGuard network objects
Tab Network objects
The port filter rules in the Implied rules are automatically activated. This means that no network object is yet available for the WireGuard network.
| The following objects are preconfigured at delivery: | Network object | associated interface object | |
|---|---|---|---|
| Internet |
external-interface
| ||
| internal-network |
internal-interface
| ||
| only with min. 3 existing interfaces | dmz1-network |
dmz1-interface
| |
| In order to create the appropriate network object, click on the Network objects button under the tab. | |||
| Caption | Value | Description |  |
| Name: | WireGuard-DNS-Relay-Interface | Name for the WireGuard network | |
| Type: | Select dynamic interface | ||
| Interface: | select this interface | ||
| Zone: | Select the corresponding WireGuard zone | ||
| Groups: | a corresponding group can be entered | ||
Click , or to save this network object.
After the network object is created, is clicked.
Create rule
Tab Add rule Button
The last step is to create a firewall rule with a Hide NAT.
This causes DNS forwarding to also go to the tunnel and not directly to the Internet.
| Labeling | Value | Datei:UTM v12.5 DNS Relay WireGuard S2S portfilterregel erstellen-en.png |
|---|---|---|
| Active: | On | |
| Source: | WireGuard-DNS-Relay-Interface
| |
| Destination: | Remote-DNS-Server
| |
| Service: | domain-udp
| |
| Action: | ||
[-] NAT
| ||
| Type: | Optional if domain controller does not want to respond to requests from the transfer network | |
| Network object: | internal-interface
| |
Click or to save this rule.