Local DNS Records on different subnet
-
It's a firewall rule on the WAN interface. The client is trying to open connections from the WAN subnet to servers in LAN.
-
@stephenw10 so what would be my source and destination ip
-
Assuming you've added the route on the client.
The firewall rule should be source: the pfSense WAN subnet and destination: the server in the LAN. Or you set the destination to the full LAN subnet as a test.
-
@stephenw10 so on pfsense add it under the WAN firewall rules? or the LAN?
-
The rule has to be on the WAN.
It needs to pass traffic from the client in the WAN subnet to the server in the LAN subnet.
But this is the wrong way to do this. You should instead move all clients to subnets behind pfSense. You will almost certainly see other issues trying to have clients in the pfSense WAN.
-
@stephenw10 so I won’t be able to access dns cname records off isp side because of security issue with routing traffic from ISP to pfsense LAN
-
I'm not sure what you're asking there.
You can set this up and it will work. It's not really a security issue because you control both subnets and are behind NAT from your ISPs router.
But it is a setup that will almost certainly cause problems in the future unless you understand exactly what is happening and allow for it.
-
@stephenw10 so I put a firewall rule under WAN , any source and destination is my traefik server should it be my pihole? because it didn't resolve to anythin
-
In the screenshot above you showed that whatever the resource is successfully resolved to a 10.84.x.x IP address. There's no need to hide those addresses they are in a private subnet and only valid locally to you.
The reason the client cannot reach it is that it needs a static route to that subnet via the pfSense WAN IP.
And pfSense needs a pass rule on WAN, at a minimum, from the client IP address in the WAN subnet to the server IP address in the LAN subnet. It probably needs only to pass TCP but I would set the protocol to any as a test so you can try pinging it.
-
@stephenw10 so under WAN firewall create a rule source “any” destination “any“?
-
@jhmc93 Your going to have nothing but problems trying to do it with devices on your pfsense wan.. For starters your going to need a route on your upstream router. And then even with a route your traffic is going to be asymetrical because you have host on your transit network.
Put your devices behind pfsense is a much simpler and elegant solution.
-
@johnpoz can’t do that unfortunately
-
@jhmc93 said in Local DNS Records on different subnet:
@stephenw10 so under WAN firewall create a rule source “any” destination “any“?
You could do that as a test but a better rule would be:
Source: WAN subnet
Destination: LAN subnetIt could be narrower still like:
Source: the client IP address (or an alias with all clients)
Destination: the server IP address in the LAN.Generally the more precise you make the rules the better. But to just test you have added the route correctly just passing all traffic would work.
-
@stephenw10 what server should I point it to my traefik server or the pihole one?
-
The pihole is being used as DNS only and it's on the WAN side. The client is resolving against that because you manually configured it to do so.
It is resolving the traefik server to an IP address in the LAN but cannot reach it currently.
So the destination should be the traefik server IP address in the LAN subnet.
-
-
@johnpoz so my pfsense Doesn't have a WiFi card do broadcast a WiFi signal, I probably could connect a third party router, but there's an issue with that also, the pfsense instance I have running is more of a side firewall device for my media servers. Plus the connection from the ISP router is ran through a ethernet powerline plug and then into pfsense which is in a different location.
@stephenw10 I will try that and let you know how it goes thanks.
-
@jhmc93 Just get a real AP, or any 20$ wifi router can be used as just an AP..
Running wifi actually on some pfsense box would never be a good idea. Freebsd and wifi don't play nice.
-
@johnpoz so because I says that pfsense runs off an ethernet powerline plug, I currently have 1GB connection into my home, because of pfsense being ran off the plug in a different room I've seen the max speed of 60mbps when I've ran a speed test
-
That's pretty bad for powerline Ethernet. I've seen them pass 1G without issue. If they're new enough.
Somethings you have to try to work-around. But somethings you don't and if you can avoid it your life will be much easier!
