Split DNS?

parisi

I have a Comcast connection including a wifi access point connected to the wan port on the pfSense. Internally we have an email server. Normally users access the email server out in the world via the host name mail.company.com which has a public IP address.

In the office, behind the pfSense, they access the email server via the private address of the email server via a host overreacting de in the DNS.

We recently started allowing users to connect to the Comcast wifi. They get a 10.1.10.x address on the WAN subnet via DHCP from the Comcast router. Mail users are trying to get to mail.company.com and that fails.

I would like to create a host override on the pfSense DNS server specific to the WAN segment so that when WAN users try to get to mail.company.com they will get the WAN IP.

I need to know how I can split the DNS such that the WAN segment will have a unique host override.

Any thoughts?

Thanks in advance!
Paul.

johnpoz

Why would your wifi be on your wan?  Put your wifi behind your pfsense.

What are you wifi users using for dns?  I would assume comcast dns, or the wifi router that forwards to comcast dns, etc.

What are you using for a wifi AP?  Why do you have it in front of pfsense vs behind?

jimp

@johnpoz:

Why would your wifi be on your wan?  Put your wifi behind your pfsense.

What are you wifi users using for dns?  I would assume comcast dns, or the wifi router that forwards to comcast dns, etc.

What are you using for a wifi AP?  Why do you have it in front of pfsense vs behind?

Sounds like their cable modem includes an integrated access point that they are attempting to use. That's not going to ever be a secure setup the way it's laid out.

Ignore the modem's AP, get your own, put it on the LAN side.

parisi

We don't allow wifi inside the LAN. We have a TP-Link WAP connected to the Comcast router. The only way anyone from the outside can get in is via VPN. This ends up being very secure.

So to get back to the question… any thoughts?

JKnott

Why would your wifi be on your wan?

Security.  Some places are really concerned with it.  Back when I first started using WiFi, it was 802.11b & WEP which, even then, was known to be insecure.  So, I put the Wifi outside my firewall, though not on the WAN side and used a VPN to access my LAN.

jimp

@parisi:

We don't allow wifi inside the LAN. We have a TP-Link WAP connected to the Comcast router. The only way anyone from the outside can get in is via VPN. This ends up being very secure.

So to get back to the question… any thoughts?

You mentioned none of that in your original post and the two things are completely different scenarios. So until you give us all of the information, I have no thoughts.

johnpoz

Yeah you made no mention of vpn in.. Well if they are vpn'd into your network then they can resolve and access the rfc1918 address of your mail server.  Problem solved.

I would guess your current issue is that your isp router is not doing nat reflection or it would work, since your wifi clients are getting the public IP of your mail server.  But yeah that is going to be an horrific setup.

So again - put your wifi behind your pfsense.  It can still be on an isolated vlan, firewalled segment if you will - dmz, etc.  My guest wifi is completely isolated from my other networks.  This allows you to create pinholes into what you might want them to be able to access, like your mail server, etc.  You could still require them to vpn to access stuff on your lan if your tinfoil hat is that tight.

While I would not suggest you just have your wifi open to your network with a simple psk.  The use of wpa enterprise with say eap-tls is pretty freaking secure ;)  So you could remove the vpn when uses are local to your network on your own wifi, etc.

KOM

Security.  Some places are really concerned with it.

::)  Yeah, nobody here cares about security.

kpa

Here's a wild idea, put the wireless on an OPT interface and lock it down with filter rules (yes, pfSense does have proper filtering despite the reports to the contrary) as you like.

johnpoz

^ exactly!

parisi

I like the idea of using an opt interface.

My original question was really only about – is there a way for there to be a different set of DNS host overrides for the internal (LAN) and the WAN interfaces?

johnpoz

"different set of DNS host overrides for the internal (LAN) and the WAN interfaces?"

No AFIK..  In pretty much zero scenarios, especially from a security point of view unless pfsense was just being used as a downstream router would you allow dns queries to your wan anyway..

jimp

Nothing on WAN should ever touch the Forwarder or Resolver. WAN is not designed to be a local client interface in that way, and won't work as one.

Use an isolated OPT interface to segment it.