Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Local DNS Records on different subnet

    Scheduled Pinned Locked Moved General pfSense Questions
    87 Posts 5 Posters 5.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • stephenw10S
      stephenw10 Netgate Administrator
      last edited by

      Does it actually not resolve or just not connect?

      The screenshot above looks like a connection issue not a DNS problem.

      If it does resolve what is it resolving to at the client?

      jhmc93J 2 Replies Last reply Reply Quote 0
      • jhmc93J
        jhmc93 @stephenw10
        last edited by jhmc93

        @stephenw10 so I am on my pfsense subnet right now,Screenshot 2024-11-27 215709.png

        where as it doesn't do that if I'm on my isp router

        johnpozJ 1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator @jhmc93
          last edited by johnpoz

          @jhmc93 that browser error is not a dns not resolving, browser not resolving something would look like

          2024-11-27_160113.jpg

          Your machine resolved that to something, is it the right thing - who knows from that picture - but it did resolve it.

          If your using firefox go to about:networking#dns it will show you what you resolved something too

          dns.jpg

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.7.2, 24.11

          jhmc93J 1 Reply Last reply Reply Quote 0
          • jhmc93J
            jhmc93 @stephenw10
            last edited by jhmc93

            not showing anything

            1 Reply Last reply Reply Quote 0
            • jhmc93J
              jhmc93 @johnpoz
              last edited by

              @johnpoz Screenshot 2024-11-27 224050.png
              guessin this is it can't be sure though

              johnpozJ 1 Reply Last reply Reply Quote 0
              • stephenw10S
                stephenw10 Netgate Administrator
                last edited by

                On the client just try to resolve it at the command line so you can see what it resolves to.

                If it resolves to something in the 10.84.x.x subnet (pfSense LAN) then you will need a route to it via pfSense.

                If you just put all your clients on a subnet behind pfSense this would work without issue.

                jhmc93J 1 Reply Last reply Reply Quote 0
                • jhmc93J
                  jhmc93 @stephenw10
                  last edited by

                  @stephenw10 by client do u mean my machine I work on, the traefik machine or the pihole server??

                  1 Reply Last reply Reply Quote 0
                  • stephenw10S
                    stephenw10 Netgate Administrator
                    last edited by

                    I mean a desktop/laptop in the 192.168.8.X subnet (pfSense WAN side).

                    jhmc93J 1 Reply Last reply Reply Quote 0
                    • johnpozJ
                      johnpoz LAYER 8 Global Moderator @jhmc93
                      last edited by johnpoz

                      @jhmc93 how would you think that is it - that name ocsp.digicert.com is not the fqdn you were trying to go to.. Come on Man!!

                      The fqdn in your proxmox shows pve.local.something - does that look anything even remotely close? That is the oscp check for a digicert cert..

                      https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol

                      I thought it was pretty obvious - I highlighted 2 names that are local on my network, nas and sg4860.home.arpa - that resolve to local rfc1918 IPs

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                      jhmc93J 1 Reply Last reply Reply Quote 0
                      • jhmc93J
                        jhmc93 @johnpoz
                        last edited by

                        @johnpoz 59ce8966-1ead-493e-b47c-7d1c928cf9f2-image.png I'm thick sorry

                        johnpozJ 1 Reply Last reply Reply Quote 0
                        • johnpozJ
                          johnpoz LAYER 8 Global Moderator @jhmc93
                          last edited by

                          @jhmc93 that doesn't show any iP it was resolved too - unless you cut it out columns are different order?

                          not sure why it would even show that?? If it didn't resolve to something, and you would get a different error if had no ip to talk to, like I posted above.

                          partitionjpg.jpg

                          Can we see the top of that output, see where it shows suffix and doh and trr mode.

                          Also that seems like a really odd isolation key for going to some local domain.. jhncmedia.com

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                          jhmc93J 1 Reply Last reply Reply Quote 0
                          • jhmc93J
                            jhmc93 @johnpoz
                            last edited by

                            @johnpoz Screenshot 2024-11-29 181854.png

                            johnpozJ 1 Reply Last reply Reply Quote 0
                            • johnpozJ
                              johnpoz LAYER 8 Global Moderator @jhmc93
                              last edited by

                              @jhmc93 so your search suffix is a public domain? Yeah your most likely going to have weird stuff happen.

                              because you look, for something like pve.local.whatever its going to end up looking for pve.local.whatever.cable.otherthing.net

                              An intelligent man is sometimes forced to be drunk to spend time with his fools
                              If you get confused: Listen to the Music Play
                              Please don't Chat/PM me for help, unless mod related
                              SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                              jhmc93J 1 Reply Last reply Reply Quote 0
                              • jhmc93J
                                jhmc93 @johnpoz
                                last edited by

                                @johnpoz even though pihole is set as my dns on pfsense and on the laptop on my isp side so don't know what is going on

                                1 Reply Last reply Reply Quote 0
                                • jhmc93J
                                  jhmc93 @stephenw10
                                  last edited by

                                  @stephenw10 nslookup.png your answer

                                  1 Reply Last reply Reply Quote 0
                                  • stephenw10S
                                    stephenw10 Netgate Administrator
                                    last edited by

                                    Ok great so it does resolve to the internal IP in the pfSense LAN subnet as expected.

                                    This it is almost certainly failing because the client has no route to reach that subnet. It would not have one by default. It would have to have been added as a static route via the pfSense WAN. And pfSense would need rules on WAN to pass it.

                                    jhmc93J 1 Reply Last reply Reply Quote 0
                                    • jhmc93J
                                      jhmc93 @stephenw10
                                      last edited by

                                      @stephenw10 how would I go about that? without exposing it to public internet because I wanna keep it in my ISP subnet and Pfsense Subnet

                                      1 Reply Last reply Reply Quote 0
                                      • stephenw10S
                                        stephenw10 Netgate Administrator
                                        last edited by

                                        Well really what you should do is move all clients to a subnet behind pfSense to avoid this issue. It's almost certainly going to cause other problems having clients in the pfSense WAN subnet.

                                        But I understand you might have physical restrictions for example preventing that.

                                        So you need a firewall rule on the pfSense WAN to allow traffic from the wan subnet to whatever the target IP is on the LAN.

                                        And you need to add a static route to the pfSense LAN subnet via the pfSense WAN IP on the client directly.

                                        That doesn't expose anything to the public internet.

                                        jhmc93J 1 Reply Last reply Reply Quote 0
                                        • jhmc93J
                                          jhmc93 @stephenw10
                                          last edited by

                                          @stephenw10 so do I create that rule in the lan or wan firewall rule or is it a nat rule

                                          1 Reply Last reply Reply Quote 0
                                          • stephenw10S
                                            stephenw10 Netgate Administrator
                                            last edited by

                                            It's a firewall rule on the WAN interface. The client is trying to open connections from the WAN subnet to servers in LAN.

                                            jhmc93J 1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.