Serving different WPADs per subnet with Unbound
-
Hello fellow Netgate community members,
Can you please help?
I have two subnets on my network:-
192.168.1.0/24 (LAN): main network with an active WPAD pointing to a proxy
-
10.0.0.0/24 (Guest): guest network with a dummy WPAD that should just use direct connections
I want to configure Unbound so that:
-
Clients on the internal network get the WPAD that points to the proxy
-
Clients on the guest network get a WPAD that bypasses the proxy
-
All other DNS queries still resolve normally
Currently, the WPAD “bleeds over” onto both interfaces because of the Unbound resolver host override on the guest network. Apple devices in particular will constantly search for a WPAD file when set to auto and never default to “none,” which is why I need a dummy WPAD for guests.
How can I accomplish this using custom options, host overrides, or zones in Unbound so that the correct WPAD is automatically served depending on the client’s subnet?
Thanks in advance! -
-
This : Wpad for two networks ?
-
@Gertjan yes I have a 192.168.1.0/24 network on an interface and a separate interface opt for 10.0.0.0. Each network I want to set up a host override with that points to a different wpad. Thanks for the reply
something like this
# View for LAN (192.168.1.0/24) view: name: "lanview" view-first: yes match-clients: 192.168.1.0/24 local-zone: "wpad.home.arpa." static local-data: "wpad.home.arpa. 3600 IN A 192.168.1.6" # Active proxy WPAD local-data: "wpad.home.arpa. 3600 IN AAAA 2001:470:8052:a::6" local-data: "proxy.home.arpa. 3600 IN CNAME wpad.home.arpa." local-data: "wpad.local. 3600 IN CNAME wpad.home.arpa." local-data: "wpad.internal.local. 3600 IN CNAME wpad.home.arpa." # View for Guest (10.0.0.0/24) view: name: "guestview" view-first: yes match-clients: 10.0.0.0/24 local-zone: "wpad.home.arpa." static local-data: "wpad.home.arpa. 3600 IN A 10.0.0.2" # Dummy WPAD (direct connect) local-data: "wpad.local. 3600 IN CNAME wpad.home.arpa." local-data: "wpad.internal.local. 3600 IN CNAME wpad.home.arpa." # Default server options server: do-not-query-localhost: no private-domain: "home.arpa" private-domain: "local" private-domain: "internal.local" dns64-ignore-aaaa: ichnaea-web.netflix.com dns64-ignore-aaaa: logs.netflix.com dns64-ignore-aaaa: netflix.com dns64-ignore-aaaa: netflix.net dns64-ignore-aaaa: nflxext.com dns64-ignore-aaaa: nflxso.net dns64-ignore-aaaa: nflxvideo.net dns64-ignore-aaaa: www.netflix.com dns64-ignore-aaaa: google.com dns64-ignore-aaaa: googleapis.com dns64-ignore-aaaa: tubi.io dns64-ignore-aaaa: tubitv.com dns64-ignore-aaaa: tubi.video dns64-ignore-aaaa: youtube.com dns64-ignore-aaaa: www.youtube.com dns64-ignore-aaaa: googlevideo.combut it does not work match-clients does not work
The following input errors were detected: The generated config file cannot be parsed by unbound. Please correct the following errors: /var/unbound/test/unbound.conf:128: error: unknown keyword 'match-clients' /var/unbound/test/unbound.conf:128: error: stray ':' /var/unbound/test/unbound.conf:128: error: unknown keyword '192.168.1.0/24' /var/unbound/test/unbound.conf:140: error: unknown keyword 'match-clients' /var/unbound/test/unbound.conf:140: error: stray ':' /var/unbound/test/unbound.conf:140: error: unknown keyword '10.0.0.0/24' read /var/unbound/test/unbound.conf failed: 6 errors in configuration file -
@JonathanLee said in Serving different WPADs per subnet with Unbound:
match-clients: 192.168.1.0/24
where did you come up with that entry.. It has been quite some time since I have looked into doing views, and what might have changed with newer version on unbound the latest versions of pfsense could be running - but I do not recall that option being part of them?
match-clients is a Bind thing I believe - not a unbound option.. did you try and get some AI nonsense chatbot to write the code for you? Those things are on drugs or something - they hallucinate shit all the time!!!
I wouldn't ask them for the time of day, cause 9 out of 10 times they would get it wrong ;)
-
@johnpoz you got me AI answer ...
I change the dhcp to a guest. and set the host entries for that and it seems to work. hahah so my home.arpa is now the main, and guest.arpa is the guest with dhcp but there has to be a way to lock it down per subnet in unbound right?There so many options in unbound I could sit and read unbound’s website for a month and still not find the option I need.
Make sure to upvote
-
@JonathanLee All of the info you needed with examples are in the thread that @Gertjan pointed too.. I went into great detail helping that poster..
And you don't need need to read their full manual - just look
https://unbound.docs.nlnetlabs.nl/en/latest/topics/filtering/tags-views.html
-
@JonathanLee said in Serving different WPADs per subnet with Unbound:
There so many options in unbound I could sit and read unbound’s website for a month and still not find the option I need.
Lol, no way.
Netgate decided (imho) to use use unbound for 3 reasons :
dnsmasq (a simple, "feather weight" forwarder, and is still present) was disabled as 'dumb' forwarding to your ISP DNS is something of the past.
unbound is a "light weight" resolver, which mans pfSense (so you !) can now tap into the official DNS as it was designed last century.
Because it's a resolver, it can do DNSSEC.The config file, typically one file, /var/unbound/unbound.conf isn't that hard to understand.
Read this (your !) file, get every line, and look up every 'command' up in the manual : https://nlnetlabs.nl/documentation/unbound/unbound.conf/
I didn't print this file, but I guess it's 10 pages or so.
Of course, there are more options mentioned, as 'people' always want that "extra thing". Open source solutions always tend to become bloated.
One of the reasons ISC decided to re write world's most famous DHCP server was because to much was added all over the place for the last 2, 3 decades, and for this very reason they decided to re-create a DHCP server from scratch : it's called "kea".Compare this one file with the help documentation of bind.
bind is ..... bigger then huge, and that's one of the reasons Netgate didn't use bind instead of unbound.
bind can do way more ... read, for example, this.
The thing is, all these config files are normally created by you, the admin, with a text editor, one by one, the old school way of doing things.
pfSense is GUI based, so the GUI would have to maintain all these files for you.
Writing a GUI that is easy to understand (for those who don't no sh*t about DNS) is even today, 20525, mission impossible.
Like a GUI front end for server applications apache2, nginx, postfix, mariadb, and the worst of them all (imho) radius : it can't and shouldn't be done. -
This was what worked for me. I had issues with what went where took a couple tries. I have both working now. The dns64 lines are for Netflix not liking the HE ipv6 tunnel
#====================== # Server-wide settings #====================== server: do-not-query-localhost: no private-domain: "home.arpa local internal.local guest.arpa" # DNS64 exceptions dns64-ignore-aaaa: ichnaea-web.netflix.com dns64-ignore-aaaa: logs.netflix.com dns64-ignore-aaaa: netflix.com dns64-ignore-aaaa: netflix.net dns64-ignore-aaaa: nflxext.com dns64-ignore-aaaa: nflxso.net dns64-ignore-aaaa: nflxvideo.net dns64-ignore-aaaa: www.netflix.com dns64-ignore-aaaa: google.com dns64-ignore-aaaa: googleapis.com dns64-ignore-aaaa: tubi.io dns64-ignore-aaaa: tubitv.com dns64-ignore-aaaa: tubi.video dns64-ignore-aaaa: youtube.com dns64-ignore-aaaa: www.youtube.com dns64-ignore-aaaa: googlevideo.com # Map clients to views access-control-view: 192.168.1.0/24 lanview access-control-view: 10.0.0.0/24 guestview #====================== # WPAD views #====================== # LAN WPAD view: name: "lanview" local-zone: "wpad.home.arpa." static local-data: "wpad.home.arpa. 3600 IN A 192.168.1.6" local-data: "LEE_pfSense.home.arpa. 3600 IN A 192.168.1.2" local-data: "lee_family.home.arpa. 3600 IN A 192.168.1.1" # Guest WPAD view: name: "guestview" local-zone: "wpad.guest.arpa." static local-data: "wpad.guest.arpa. 3600 IN A 10.0.0.2"Make sure to upvote
-
@JonathanLee guest.arpa - it really should be guest.home.arpa. .arpa was not set a special use tld.. The domain home.arpa was set
If you want to use any domain name you want with tld, then use the special use tld .internal
I don't think its been fully approved as of yet, but believe an rfc has been submitted.. But guest.arpa for sure is not a special use domain.
-
@johnpoz said in Serving different WPADs per subnet with Unbound:
uest.arpa - it really should be guest.home.arpa. .arpa was not set a special use tld.. The domain home.arpa was set
If you want to use any domain name you want with tld, then use the special use tld .internal
I don't think its been fully approved as of yet, but believe an rfc has been submitted.. But guest.arpa for sure is not a special use domain.
thanks for the reply fixed it to guest.home.arpa
-
@JonathanLee said in Serving different WPADs per subnet with Unbound:
for Netflix not liking the HE ipv6 tunnel
That was also solved with the help of pfBlockerng :
and enter all the domain names you don't want to be resolved as AAAA, only A.
In my he.net days, this worked very well.
