Local DNS Records on different subnet
-
@stephenw10 I haven't resolved this issue my firewall rules are the following, this is being tried on a test machine but I'm unable to ping the machine off my laptopp on my isp router to the linux ubuntu server or connect via ssh? what am I doing wrong?
-
If you're still trying to connect from a laptop in the pfSense WAN subnet to a server in the LAN subnet the primary thing you need is a route to allow it.
That probably means adding a static route to the laptop directly. It has to be a route to the LAN subnet via the pfSense WAN address.
Without that the laptop will send that traffic via it;s default gateway which is the ISP router. And that probably has no idea where to route it so will either drops it or send it to the ISP... where it will be dropped.
-
@stephenw10 so what your saying is I need to add a static ip to the laptop on the isp side?,
As u can see I did a route in that screenshot above but my laptop is getting it IP from the DHCP server on isp side -
You need to add a static route to the laptop so it sends that traffic to pfSense instead of the ISP router.
I'm not seeing any screenshots showing routes. But to be clear that route has to be added to the laptop directly in this setup.
-
@stephenw10 so how would I go about doing that?
Change the gateway via static IP on laptop? -
@stephenw10 is this not a route?
-
Those are firewall rules.
What operating system is your laptop running?
-
@stephenw10 Windows 11
-
OK so at the Windows command prompt do something like:
ROUTE -P ADD 192.168.11.0 MASK 255.255.255.0 192.168.0.100Where 192.168.11.0/24 is the pfSense LAN subnet and 192.168.0.100 is the pfSense WAN address. I don't think you ever said what the WAN address is so replace that. Earlier in the thread it looked like the pfSense LAN was using 10.84.0.0 so if it is then replace that.
If you then run
ROUTE PRINTin the laptop you should see that route in the table so it then knows how to reach the pfSense LAN. -
@stephenw10 so will that allow me to access my dns records pointing to traefik on my lan side, on my isp lan?
-
@jhmc93 said in Local DNS Records on different subnet:
dns records pointing to traefik on my lan side
DNS 'points' to A or AAAA addresses, TXT fleds, MX (mail server host names), CNAM (= other DNS fileds)
but not to traefik ? = traffic !? -
@Gertjan I have pi hole set up on my isp lan with an A record pointing to my traefik reverse proxy machine on my pfsense LAN
-
Yes that would allow your laptop to reach the DNS server behind pfSense.
Though I still advise against this entirely because it will cause problems down the line.
-
@stephenw10 what kind of problems?
-
@stephenw10 so I tried it on a test machine, so IP is different, but what have I done wrong??
-
Because it relies on the client being configured to reach it then any changes on the client may break it. And in this circumstance that would mean the client loses DNS. If Windows is updated for example.
Or if you add some other client you have to remember to add the static route.
I imagine I could think of at least 10 ways this could bite you.
I have seen many customers with similar setups where things mostly worked until they didn't.But for that one device it should work for now.
-
@stephenw10 look up, it hasn't worked unfortunately
-
Ok so 192.168.0.75 is the pfSense WAN IP address?
And 70.86.90.0/24 is the pfSense LAN subnet? A public /24 subnet?
That seems unlikely and you previously showed it as 192.168.11.0/24.
-
@stephenw10 so this is a test machine, not the actual machine that has the ip above, 70.86.90.0/24 is the test machine, 192.168.0.75 is the wan ip address as shown below
-
Then yes, that should work as long as firewall rules exist to pass it. And, of course, the target host in the LAN must allow it.
Start a continuous ping from the laptop then check the states on that test firewall to see if it's passing. Or the firewall logs to see if it's being blocked.
