Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Local DNS Records on different subnet

    Scheduled Pinned Locked Moved General pfSense Questions
    87 Posts 5 Posters 5.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • stephenw10S
      stephenw10 Netgate Administrator
      last edited by

      It's a firewall rule on the WAN interface. The client is trying to open connections from the WAN subnet to servers in LAN.

      jhmc93J 1 Reply Last reply Reply Quote 0
      • jhmc93J
        jhmc93 @stephenw10
        last edited by

        @stephenw10 so what would be my source and destination ip

        1 Reply Last reply Reply Quote 0
        • stephenw10S
          stephenw10 Netgate Administrator
          last edited by

          Assuming you've added the route on the client.

          The firewall rule should be source: the pfSense WAN subnet and destination: the server in the LAN. Or you set the destination to the full LAN subnet as a test.

          jhmc93J 1 Reply Last reply Reply Quote 0
          • jhmc93J
            jhmc93 @stephenw10
            last edited by

            @stephenw10 so on pfsense add it under the WAN firewall rules? or the LAN?

            1 Reply Last reply Reply Quote 0
            • stephenw10S
              stephenw10 Netgate Administrator
              last edited by

              The rule has to be on the WAN.

              It needs to pass traffic from the client in the WAN subnet to the server in the LAN subnet.

              But this is the wrong way to do this. You should instead move all clients to subnets behind pfSense. You will almost certainly see other issues trying to have clients in the pfSense WAN.

              jhmc93J 1 Reply Last reply Reply Quote 2
              • jhmc93J
                jhmc93 @stephenw10
                last edited by

                @stephenw10 so I won’t be able to access dns cname records off isp side because of security issue with routing traffic from ISP to pfsense LAN

                1 Reply Last reply Reply Quote 0
                • stephenw10S
                  stephenw10 Netgate Administrator
                  last edited by

                  I'm not sure what you're asking there.

                  You can set this up and it will work. It's not really a security issue because you control both subnets and are behind NAT from your ISPs router.

                  But it is a setup that will almost certainly cause problems in the future unless you understand exactly what is happening and allow for it.

                  jhmc93J 1 Reply Last reply Reply Quote 0
                  • jhmc93J
                    jhmc93 @stephenw10
                    last edited by

                    @stephenw10 so I put a firewall rule under WAN , any source and destination is my traefik server should it be my pihole? because it didn't resolve to anythin

                    1 Reply Last reply Reply Quote 0
                    • stephenw10S
                      stephenw10 Netgate Administrator
                      last edited by

                      In the screenshot above you showed that whatever the resource is successfully resolved to a 10.84.x.x IP address. There's no need to hide those addresses they are in a private subnet and only valid locally to you.

                      The reason the client cannot reach it is that it needs a static route to that subnet via the pfSense WAN IP.

                      And pfSense needs a pass rule on WAN, at a minimum, from the client IP address in the WAN subnet to the server IP address in the LAN subnet. It probably needs only to pass TCP but I would set the protocol to any as a test so you can try pinging it.

                      jhmc93J 1 Reply Last reply Reply Quote 0
                      • jhmc93J
                        jhmc93 @stephenw10
                        last edited by

                        @stephenw10 so under WAN firewall create a rule source “any” destination “any“?

                        johnpozJ stephenw10S 2 Replies Last reply Reply Quote 0
                        • johnpozJ
                          johnpoz LAYER 8 Global Moderator @jhmc93
                          last edited by

                          @jhmc93 Your going to have nothing but problems trying to do it with devices on your pfsense wan.. For starters your going to need a route on your upstream router. And then even with a route your traffic is going to be asymetrical because you have host on your transit network.

                          Put your devices behind pfsense is a much simpler and elegant solution.

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 24.11 | Lab VMs 2.8, 24.11

                          jhmc93J 1 Reply Last reply Reply Quote 0
                          • jhmc93J
                            jhmc93 @johnpoz
                            last edited by

                            @johnpoz can’t do that unfortunately

                            johnpozJ 1 Reply Last reply Reply Quote 0
                            • stephenw10S
                              stephenw10 Netgate Administrator @jhmc93
                              last edited by

                              @jhmc93 said in Local DNS Records on different subnet:

                              @stephenw10 so under WAN firewall create a rule source “any” destination “any“?

                              You could do that as a test but a better rule would be:
                              Source: WAN subnet
                              Destination: LAN subnet

                              It could be narrower still like:
                              Source: the client IP address (or an alias with all clients)
                              Destination: the server IP address in the LAN.

                              Generally the more precise you make the rules the better. But to just test you have added the route correctly just passing all traffic would work.

                              jhmc93J 2 Replies Last reply Reply Quote 0
                              • jhmc93J
                                jhmc93 @stephenw10
                                last edited by

                                @stephenw10 what server should I point it to my traefik server or the pihole one?

                                1 Reply Last reply Reply Quote 0
                                • stephenw10S
                                  stephenw10 Netgate Administrator
                                  last edited by

                                  The pihole is being used as DNS only and it's on the WAN side. The client is resolving against that because you manually configured it to do so.

                                  It is resolving the traefik server to an IP address in the LAN but cannot reach it currently.

                                  So the destination should be the traefik server IP address in the LAN subnet.

                                  1 Reply Last reply Reply Quote 0
                                  • johnpozJ
                                    johnpoz LAYER 8 Global Moderator @jhmc93
                                    last edited by

                                    @jhmc93 said in Local DNS Records on different subnet:

                                    can’t do that unfortunately

                                    And why is that?

                                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                                    If you get confused: Listen to the Music Play
                                    Please don't Chat/PM me for help, unless mod related
                                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                                    jhmc93J 1 Reply Last reply Reply Quote 0
                                    • jhmc93J
                                      jhmc93 @johnpoz
                                      last edited by

                                      @johnpoz so my pfsense Doesn't have a WiFi card do broadcast a WiFi signal, I probably could connect a third party router, but there's an issue with that also, the pfsense instance I have running is more of a side firewall device for my media servers. Plus the connection from the ISP router is ran through a ethernet powerline plug and then into pfsense which is in a different location.

                                      @stephenw10 I will try that and let you know how it goes thanks.

                                      johnpozJ 1 Reply Last reply Reply Quote 0
                                      • johnpozJ
                                        johnpoz LAYER 8 Global Moderator @jhmc93
                                        last edited by johnpoz

                                        @jhmc93 Just get a real AP, or any 20$ wifi router can be used as just an AP..

                                        Running wifi actually on some pfsense box would never be a good idea. Freebsd and wifi don't play nice.

                                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                                        If you get confused: Listen to the Music Play
                                        Please don't Chat/PM me for help, unless mod related
                                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                                        jhmc93J 1 Reply Last reply Reply Quote 0
                                        • jhmc93J
                                          jhmc93 @johnpoz
                                          last edited by

                                          @johnpoz so because I says that pfsense runs off an ethernet powerline plug, I currently have 1GB connection into my home, because of pfsense being ran off the plug in a different room I've seen the max speed of 60mbps when I've ran a speed test

                                          johnpozJ 1 Reply Last reply Reply Quote 0
                                          • stephenw10S
                                            stephenw10 Netgate Administrator
                                            last edited by

                                            That's pretty bad for powerline Ethernet. I've seen them pass 1G without issue. If they're new enough.

                                            Somethings you have to try to work-around. But somethings you don't and if you can avoid it your life will be much easier!

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.