Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Host Overrides not working externally

    Scheduled Pinned Locked Moved General pfSense Questions
    12 Posts 3 Posters 3.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      c0mputerking
      last edited by

      I know replying to my own thread may be bad practice, but i discovered something odd, while trying to solve this problem.  I started sequentially trying the system domain local zone type a new feature i am not familiar with and when i got down to redirect i started getting errors when i tried to apply the setting … now even when i try to switch back to transparent i get the same error

      NOTE "axis-1.my.domain.com A 10.22.2.240" is setup as a static dhcp host in dhcp server

      The following input errors were detected:

      The generated config file cannot be parsed by unbound. Please correct the following errors:
          [1461599602] unbound-checkconf[9322:0] error: local-data in redirect zone must reside at top of zone, not at axis-1.my.domain.com A 10.22.2.240
          [1461599602] unbound-checkconf[9322:0] fatal error: failed local-zone, local-data configuration

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        why would you think an over ride would be used externally??  Unbound is not an authoritative name server, even if you pointed your public domain to it..  Who would be using your wan IP as their dns?

        Lets say you wanted to allow that - which would be a BAD idea, you would have to open up the wan firewall rules to allow queries.

        At a loss to what that nat is suppose to be for?  What does that have to do with dns?

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • C
          c0mputerking
          last edited by

          Yes i suppose this could be a bad idea, maybe there is a better/safer/easier way, or maybe this is not possible at all, most likely i am going about this completely wrong.

          Essentially what i want to achieve is for URLs to resolve the same internally and externally.

          Internally i want vpn-1.my.domain.com to be resolved to 10.22.2.105 (an internal ip) which it does correctly

          externally vpn-1.my.domain.com should resolve to 11.22.33.44 (an external ip) this also works correctly

          Seems like a doable thing, according to the pfsense doc however i could be misunderstanding those too argh.

          https://doc.pfsense.org/index.php/Why_can't_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks%3F

          I tried implementing method 2: split DNS … however i am not using dns forwarder i am using dns resolver maybe that is my problem?

          As stated DNS may not be the problem, especially since the web browser is timing out it looks even more like a NOT DNS problem.

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            does not matter if you use forwarder or resolver, they both support overrides.  Which would be used by your boxes internally, that point to pfsense for dns.

            Setup your host overrided do a query from an internal box using your fav tool, nslookup, dig, drill, or just ping that name and validate it resolves to the internal IP you want.

            Now from external and you want this to forward to some box inside your network, you would have to setup a port forward.  Are you trying to run some vpn server behind pfsense??  From the name vpn-1 seems so.. Why would you not just run the vpn on pfsense?  And why would internal boxes need to resolve that name?

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • C
              c0mputerking
              last edited by

              Thank you for your help, think we got things solved, err resolved actually :) … resolved as I made an error when i added the A record to my upstream DNS server.  Anyways all is working as expected now internally and externally and i apologize for not seeing my error sooner this really had nothing to do with pfsense sorry.

              Also yes i am running a VPN server behind pfsense, vpn-1 is an Open Access Server, I used to use pfsense for this but did not like that the client export wizard had to be setup each time , also really like the client accessible interface in Open Access Server.  Again you are correct i do not need external boxes to resolve to that host in retrospect vpn-1 was probably the worst example i could have picked, not sure what i was thinking and mostly just using for an example wrongly, and probably should have used something nice and generic like host-1.my.domain.com

              Thanks again

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                "client export wizard had to be setup each time"

                huh??  you lost me.. All that is needed for the client to connect is the config and well sure openvpn client..  Not sure what you mean by export wizard each time?  to export the configurations?

                How many clients do you have?  Yes the access server has some advantages vs the community FREE version..  It can be easier for your typical user to got to a website ;)

                Biggest draw back to AS is its not free ;)

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • C
                  c0mputerking
                  last edited by

                  Do not like the way i have to adjust the setting in the client export wizard (package) every time i use it resets to the defaults, i dont have that many clients so it not really a biggy but got open access setup and working right now, and yes it sucks that it is not free for more than 2 users :)

                  Might switch back to pfsense later as the openvpn works well there too.

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator
                    last edited by

                    resets to defaults?  You mean the openvpn instance and what to use to resolve the IP to connect too?  Are  you adding advanced options?  what are doing in the export that would not be default anyway?

                    If you do not have very many clients, this would something you would do like once per client..

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 0
                    • D
                      divsys
                      last edited by

                      I'd guess he's talking about the "Host Name Resolution" setting in the Export Wizard as an example.
                      It defaults to:"Interface IP Address" every time you use it which can be a minor nuisance if your WAN is setup with DDNS for your clients.

                      It's not a deal breaker by any means but it can be an annoyance, especially as the "IP address" setting will work great for an exported client - until the IP address of WAN changes…..

                      Would be nice if the defaults could be locked at something other than raw IP address.

                      -jfp

                      1 Reply Last reply Reply Quote 0
                      • johnpozJ
                        johnpoz LAYER 8 Global Moderator
                        last edited by

                        If it locked to say ddns address, what if I don't have a ddns address?  Then that is a PITA for me ;)

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        1 Reply Last reply Reply Quote 0
                        • D
                          divsys
                          last edited by

                          I guess that's why people have been asking for the ability for that screen to "remember" what you last used.

                          -jfp

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.