Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 10 replies
  • Subscribers 42 subscribers
  • Views 3470 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DNS NAT Rule slowing down browsing and load-times from websites

nd

Hello all,

I have a specific NAT question and problem, the reason would be, that am not a native or excellent networking guy... so learning by doing and reading specific when needed. Maybe someone could help me.

In my home network I use a XG as firewall with 2 different physical subnets for LAN and switching, some WLAN ssids in separated zones and some kids and a wife here. To protect them I have a pihole dns virtualized for all dns requests in our home.

Because some smartphones and browsers trying so use a "secured dns resolver" automatically on its own choice, I tried some tricks to prevent such overrides.

For that I have added a NAT rule for each network which looks like the following:

So every directly try on another externally dns should be affected.

Further there are policies which denying "dns over https" and some app filters for dns and proxy etc.

Global dns settings:

dns settings on LAN1 / dhcp:

dns settings on other networks / dhcp:

According to several tests it looks great and I think all dns requests for external will be handled by the pihole.

BUT: The browsing speed and load times for websites is incredible slow (3-10 sec) for me directly in LAN1, which seems to be caused by the NAT rule.

When disabling, the speed is normally like attached directly to the router behind. In LAN2 or WLANs there is no problem with browsing.

So can anyone explain me that and maybe tell me a solution or different way so solve my wish for the pihole-dns-only network?

Thanks a lot and regards,

Andy. :)



This thread was automatically locked due to age.
  • 0

    A couple of suggestions.

    1/. create a firewall at the top of your firewall list that blocks dns over https rather than use the web proxy.

    2/. change the default DNS setting to point at your pi-hole.

    3/. create a firewall rule that allows DNS traffic between your various LAN/s and the pi-hole

    The following screenshot is the NAT rule for my NTP server.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    thanks for your suggestions and effort.

    1. good idea, will try this...but solves not the problem for nat. Slight smile

    2. you mean the nat rule to point on pihole? i was thinking about that, but it would be a problem, when pihole would be down suddenly. So the thought was for LAN1 to point on the interface which normally should be default. But here I think that creates some kind of looping.

    3. will not be needed, because the nat rules etc works perfectly for all others - only LAN1 is affected and the pihole is in the same subnet.

    for ntp I have also a rule like that. only difference there despite of the service and networks is the MASQ, which has no effect and need there. tried that also. or what was your thought for that screenshot?

    Thank you again, Ian.

  • 0 in reply to nd

    The mASQ is required because the devices do no/ always send NTP (123) or DNS (53) and causes delays while the device shifts DNS destinations which will accept its DNS request if that makes sense?

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    Thx for explanation.

    Tried that also, but it doesnt make any difference if MASQ or not... browsing keeps slow.

    Same NAT rules on other LAN2 and WLANs working as expected and browsing is fast.

  • 0 in reply to nd

    Hi,

    have you reviewed logviewer when the issue is happening refined to either service 53 or your test pc IP address?

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • +1 in reply to nd

    You build a loop isnt it? So PI will also be fetched by this rule? 

    __________________________________________________________________________________________________________________

  • +1 in reply to LuCar Toni

    Pi only has configured external dns servers.

    workflow should be: internal device requests dns (whether internal or external host / url) and ends on sophos interface; sophos serves all internal hostnames, external requests will be handled by pihole.

    but yes: because pihole is in LAN1, the nat rule will cause that dns requests from pi will start looping. ***... i am such a stupid.

    so solution would be, to exclude pihole from that nat rule or to place it in the subnet from the router in front of sophos.

  • 0 in reply to LuCar Toni

    short question: nat rules are handled like firewall rules? first hit and done? so beginning at the top id1, id2, etc.

    seems to work.

  • 0 in reply to nd
    nd said:
    nat rules are handled like firewall rules? first hit and done?

    Yes, It's the same way as Firewall rules. (First Hit)

    If a post solves your question use the 'Verify Answer' button.

    Ryzen 5600U + I226-V (KVM) v21 GA @ Home

    Sophos ZTNA (KVM) @ Home

Unfiltered HTML