Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Traffic from Road Warrior to Branch to HQ

    Scheduled Pinned Locked Moved DHCP and DNS
    4 Posts 2 Posters 758 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A Offline
      awsiemieniec
      last edited by

      Something tells me this should be easy but I often over-complicate things.

      I connect to a branch office via OpenVPN to my work LAN.  The work LAN connects to a server via a site-to-site OpenVPN connection (HQ)  At HQ is a DNS server (Server 2012 R2).  From my remote connection I am unable to get DNS queries answered from the server at HQ.  I am unable to get a reply from nslookup or ping when I try to find a device at HQ.

      *******                ********                *****

      • HOME * >–----->* Branch >-------> HQ *
        *******                ********                  *****

      Do I need to do anything special that allows road warrior traffic to pass, ultimately, to the HQ location?  I have Unbound setup at the pfSense 2.2.4 box at Branch.  Within the config of Unbound I have defined the LANs that are able to access the service.  Within the pfSense box at Branch  I have defined the server at HQ as a DNS server and told Unbound to "enable forwarding mode".  Do I need to manually push the route to the road warrior connections?

      I do specify DNS servers within the OpenVPN config for the remote users; I specify the branch (10.10.100.1) and the HQ (10.10.10.29).

      If I'm at Branch all is good.  I can nslookup <host name="">and it relates the server at HQ and the correct IP address.</host>

      1 Reply Last reply Reply Quote 0
      • A Offline
        awsiemieniec
        last edited by

        I would really like the two DNS servers (unbound, Server 2012 R2) to update each other so they both have a current copy of the zone but I have yet to see that happen.  Can it?  With that working I believe this would be a moot point.  (?)

        1 Reply Last reply Reply Quote 0
        • DerelictD Offline
          Derelict LAYER 8 Netgate
          last edited by

          HQ needs an openvpn route to HOME with an iroute for the same to Branch
          HOME needs an openvpn route to HQ with an iroute for the same to Branch

          For connections from HOME to HQ, there need to be OpenVPN firewall rules permitting the traffic on Branch from HOME and on HQ from Branch.

          Regarding your second post, unbound is intended to be a caching resolver, not an authoritative zone master/slave.  What you probably want to do is forward the domain's domain (and probably the in-addr zones) to your 2012R2 DNS server.

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • A Offline
            awsiemieniec
            last edited by

            thank you for the directions!  Much appreciated.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.