Split DNS?

parisi

We don't allow wifi inside the LAN. We have a TP-Link WAP connected to the Comcast router. The only way anyone from the outside can get in is via VPN. This ends up being very secure.

So to get back to the question… any thoughts?

JKnott

Why would your wifi be on your wan?

Security.  Some places are really concerned with it.  Back when I first started using WiFi, it was 802.11b & WEP which, even then, was known to be insecure.  So, I put the Wifi outside my firewall, though not on the WAN side and used a VPN to access my LAN.

jimp

@parisi:

We don't allow wifi inside the LAN. We have a TP-Link WAP connected to the Comcast router. The only way anyone from the outside can get in is via VPN. This ends up being very secure.

So to get back to the question… any thoughts?

You mentioned none of that in your original post and the two things are completely different scenarios. So until you give us all of the information, I have no thoughts.

johnpoz

Yeah you made no mention of vpn in.. Well if they are vpn'd into your network then they can resolve and access the rfc1918 address of your mail server.  Problem solved.

I would guess your current issue is that your isp router is not doing nat reflection or it would work, since your wifi clients are getting the public IP of your mail server.  But yeah that is going to be an horrific setup.

So again - put your wifi behind your pfsense.  It can still be on an isolated vlan, firewalled segment if you will - dmz, etc.  My guest wifi is completely isolated from my other networks.  This allows you to create pinholes into what you might want them to be able to access, like your mail server, etc.  You could still require them to vpn to access stuff on your lan if your tinfoil hat is that tight.

While I would not suggest you just have your wifi open to your network with a simple psk.  The use of wpa enterprise with say eap-tls is pretty freaking secure ;)  So you could remove the vpn when uses are local to your network on your own wifi, etc.

KOM

Security.  Some places are really concerned with it.

::)  Yeah, nobody here cares about security.

kpa

Here's a wild idea, put the wireless on an OPT interface and lock it down with filter rules (yes, pfSense does have proper filtering despite the reports to the contrary) as you like.

johnpoz

^ exactly!

parisi

I like the idea of using an opt interface.

My original question was really only about – is there a way for there to be a different set of DNS host overrides for the internal (LAN) and the WAN interfaces?

johnpoz

"different set of DNS host overrides for the internal (LAN) and the WAN interfaces?"

No AFIK..  In pretty much zero scenarios, especially from a security point of view unless pfsense was just being used as a downstream router would you allow dns queries to your wan anyway..

jimp

Nothing on WAN should ever touch the Forwarder or Resolver. WAN is not designed to be a local client interface in that way, and won't work as one.

Use an isolated OPT interface to segment it.