DNS resolution of pfsense host on multiple VLANs
-
Hello,
I've had pfSense working for several years on a home network just fine. Recently, I decided to create some VLANs to segregate home business from home personal. I've got just about everything working fine, VLANs are configured, DHCP works on the different VLANs, even have multiple OpenVPN servers working to allow access to the different VLANs. The one thing that I haven't been able to figure out though, is how to get the dns resolution of the pfsense host on the different VLANs working right. It looks like it automatically uses its host resolution as the LAN interface address, with no way to edit which interface it should bind it to. I recognize that it would probably be unsupported for hosts on the HOMEVLAN to resolve 'pfsense' to the HOMEVLAN interface, while hosts on the WORKVLAN to resolve 'pfsense' to the WORKVLAN interface. So I'll settle for different names bound to the interfaces, but I don't see any way to do that. Am I relegated to doing it in DNS Forwarder's host overrides? That seems a bit of an ugly hack to me, by comparison to binding hostname(s) to interfaces.
-
Can you elaborate more? So far I've gathered that you have a problem with 'pfsense.localdomain' resolving only to the LAN IP address but you haven't stated why this is really a problem.
-
Sure. my VLANs are segregated from each other, in particular the WORKVLAN having heavy restrictions so that they can't see each other. I am doing it this way so that the people who will be VPNing into my home business environment have no access to any of my personal stuff. But I am giving them restricted access to pfsense so that they can change their password. A little more detail below:
LAN: 10.10.1.1/24
HOMEVLAN: 10.1.1.1/24
WORKVLAN: 10.2.1.1/24
OpenVPNHOME: 10.1.10.1/24
OpenVPNWORK: 10.2.10.1/24OpenVPNWORK users have only access to the 10.2.1.1/24 subnet, and nothing else. Same with devices on WORKVLAN. If they try to connect to 'pfsense', they get back 10.10.1.1, which they don't have access to. Same goes for HomeVLAN users. I would ideally like them to be able to connect to the pfsense interface within their own VLAN, and it seems like it should be possible to assign hostnames to interfaces for that purpose, but I haven't found anything that seems to fit that bill.
-
Use the DNS forwarder and localise-queries.
http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html
-
"But I am giving them restricted access to pfsense so that they can change their password."
So let them hit the pfsense lan IP, if your giving them access what does it matter if they hit the IP in their segment or the IP that is in the lan?
But as to resolving a different hostname for pfsense that really comes down to a subdomain for your different segments you can do via host overrides. So for example pfsense.local.lan is what resolves for the normal lan IP. But then I have host overrides for pfsense.dmz.local.lan and pfsense.wlan.local.lan that resolve to the IPs in those networks.
This way for example I can always do a PTR query for the gateway IP (which is pfsense) and get back what network im in, dmz or wlan, etc..
-
I went ahead and did the host overrides, and added in a separate domain for the WORKVLAN. This allows me to still have 'pfsense' on each one, even though the domains are different, since I don't require the full host/domain, it works out!
