Pfsense 2.3.3 now allowing private DNS address
-
Dude. All that message is telling you is that you are trying to set up another route to something that already exists. That's all what the gateway there does. The reason you are getting that message is that the route already exists. You do not set up the same route twice. Why the heck are you configuring a DNS server intended for VPN clients to be used by the firewall anyway.
So, my remote office can resolve addresses of main office Servers and services instead using ip addresses??? That would be a scenario …
-
What does a remote office have to do with this? Those fields are for DNS resolution on the firewall ITSELF. (And recycled elsewhere if you are too lazy to configure DNS explicitly in DHCP server and whatnot.)
-
What does a remote office have to do with this? Those fields are for DNS resolution on the firewall ITSELF. (And recycled elsewhere if you are too lazy to configure DNS explicitly in DHCP server and whatnot.)
Dont feel like writing a book of my setup, but remote office using main office DNS to resolve addresses and use the main office as gateway to internet. See it as a big building, main floor is main office, second floor is remote office 1 etc. In one building, you only have one access point to internet, one dns and dhcp, etc. That what I do, site to site VPN, and the main office handles DNS and DHCP, and has main servers located.
Setting it up everywhere is not possible, thats why I need it on pfsense, because if requests go to the offsite pfsense box, thay are forwarded to the main office, of the offsite cannot resolve (forwarded).
Makes sense?
-
What does a remote office have to do with this? Those fields are for DNS resolution on the firewall ITSELF. (And recycled elsewhere if you are too lazy to configure DNS explicitly in DHCP server and whatnot.)
Dont feel like writing a book of my setup, but remote office using main office DNS to resolve addresses and use the main office as gateway to internet. See it as a big building, main floor is main office, second floor is remote office 1 etc. In one building, you only have one access point to internet, one dns and dhcp, etc. That what I do, site to site VPN, and the main office handles DNS and DHCP, and has main servers located.
Setting it up everywhere is not possible, thats why I need it on pfsense, because if requests go to the offsite pfsense box, thay are forwarded to the main office, of the offsite cannot resolve (forwarded).
Makes sense?
Thats why I need it to work …
-
Sir, you only assign such DNS servers to clients that they are able to reach. No idea what kind of bug you relied upon until now, but you need to sanitize your setup. pfSense itself clearly already can reach 10.0.0.1 just fine since it's a local interface subnet. So, it won't let you configure any gateway/route there because it already exists.
-
Sir, you only assign such DNS servers to clients that they are able to reach. No idea what kind of bug you relied upon until now, but you need to sanitize your setup. pfSense itself clearly already can reach 10.0.0.1 just fine since it's a local interface subnet. So, it won't let you configure any gateway/route there because it already exists.
172.16.0.123 (Client) –- 172.16.0.1 (pfsense, VPN client, offsite) ----- 10.0.0.0/16 tunnel ---- 10.0.0.1/16-VPN server & 172.20.0.1/24-pfsene (main office) ----- 172.20.0.100 (server with DB)
The DNS settings on the offsite client point to the local pfsense box, 172.16.0.1, and that pfsense box will query 10.0.0.1 ...
In this case, DHCP and DNS servers will be 10.0.0.1 for the client connecting (not 172.20.0.1 since pfsense does the routing from 10.0.0.0 to 172.20.0.0).
Thats why I need to setup 10.0.0.1 on the offisite DNS settings. The route is not there, it needs to translate from 172.16.0.0 to 10.0.0.0 ... so adding it to the DNS settings and assigning the VPN gateway to the 10.0.0.1 makes sense, at least to me ... -
So, your pfSense (main office) WAN is 172.20.0.0/24 and your pfSense LAN is 172.20.0.0/24 as well, and you have a pfSense dangling somewhere between some god knows what VPN server and a DB server? WTF. And what should be translating what there?
:o :o :o
-
So, your pfSense (main office) WAN is 172.20.0.0/24 and your pfSense LAN is 172.20.0.0/24 as well, and you have a pfSense dangling somewhere between some god knows what VPN server and a DB server? WTF. And what should be translating what there?
:o :o :o
Dude, forget it …
-
Yeah, sounds like this one is best forgotten, flushed down the drain and reconfigured from scratch. Looks like you wanted to set up a site-to-site VPN and ended up with a complete clusterfuck instead. BTW, this is the relevant code you are complaining about:
https://github.com/pfsense/pfsense/blob/RELENG_2_3_3/src/usr/local/www/system.php#L269
$direct_networks_list = explode(" ", filter_get_direct_networks_list()); while (isset($_POST[$dnsname])) { $dnsgwname = "dnsgw{$dnscounter}"; if ($_POST[$dnsgwname] && ($_POST[$dnsgwname] <> "none")) { foreach ($direct_networks_list as $direct_network) { if (ip_in_subnet($_POST[$dnsname], $direct_network)) { $input_errors[] = sprintf(gettext("A gateway can not be assigned to DNS '%s' server which is on a directly connected network."), $_POST[$dnsname]); } } } $dnscounter++; $dnsname = "dns{$dnscounter}"; }where filter_get_direct_networks_list() translates to this:
https://github.com/pfsense/pfsense/blob/RELENG_2_3_3/src/etc/inc/filter.inc#L1032
function filter_get_direct_networks_list($returnsubnetsonly = true) { global $config, $FilterIflist, $GatewaysList; /* build list of directly connected interfaces and networks */ $networks = ""; $networks_arr = array(); if (empty($FilterIflist)) { filter_generate_optcfg_array(); } foreach ($FilterIflist as $ifent => $ifcfg) { $subnet = "{$ifcfg['sa']}/{$ifcfg['sn']}"; if (is_subnet($subnet)) { if ($returnsubnetsonly) { $networks_arr[] = $subnet; } else { $networks_arr[] = array( 'subnet' => $subnet, 'if' => $ifent, 'ip' => $ifcfg['ip']); } } } $viplist = get_configured_vip_list(); foreach ($viplist as $vid => $address) { $vip = get_configured_vip($vid); $subnet = "{$vip['subnet']}/{$vip['subnet_bits']}"; if (is_subnet($subnet) && !(is_subnetv4($subnet) && $vip['subnet_bits'] == 32) && !(is_subnetv6($subnet) && $vip['subnet_bits'] == 128)) { if (is_subnetv4($subnet)) { $subnet = gen_subnet($vip['subnet'], $vip['subnet_bits']) . "/{$vip['subnet_bits']}"; } else if (is_subnetv6($subnet)) { $subnet = gen_subnetv6($vip['subnet'], $vip['subnet_bits']) . "/{$vip['subnet_bits']}"; } if ($returnsubnetsonly) { $networks_arr[] = $subnet; } else { $networks_arr[] = array( 'subnet' => $subnet, 'if' => $vip['interface'], 'ip' => $vip['subnet']); } } } // Add any enabled static routes foreach (get_staticroutes(false, false, true) as $netent) { if (is_subnet($netent['network'])) { if ($returnsubnetsonly) { $networks_arr[] = $netent['network']; } else if (isset($GatewaysList[$netent['gateway']])) { $networks_arr[] = array( 'subnet' => $netent['network'], 'if' => $GatewaysList[$netent['gateway']]['friendlyiface'], 'gateway' => $GatewaysList[$netent['gateway']]['gateway']); } } } if ($returnsubnetsonly) { if (!empty($networks_arr)) { $networks = implode(" ", $networks_arr); } return $networks; } else { return $networks_arr; } }So, those are local interfaces (incl. virtual IPs) and static routes you configure. With that, you can go and figure out what in your whacky setup is the case.
-
"10.0.0.0/16 tunnel"
WTF why would you need such a large tunnel for a site to site connection?? Why would you ever need such a tunnel?? For site to site /30 would be all you would need.
"172.16.0.1, and that pfsense box will query 10.0.0.1 "
Why would it do that???
"needs to translate from 172.16.0.0 to 10.0.0."
Why???
This would be your typical setup.. See attached.
So you want the main site dns and dhcp to to provide dns for the remote site? Then you would setup dhcp relay on the remote site to point to your dhcp server. As for DNS.. You would either point your clients directly to the dns server on 172.20.0/24 or you could have your clients ask the remote site pfsense for dns. And then use a domain override to ask the main site dns for whatever domains its authoritative for, or you could just have pfsense do a forward for all dns to it.. Comes down to what exactly do clients want/need to resolve from there?
Or you could just have the remote site pfsense hand out dhcp and not have to worry about the relay.
I am at a loss to understand why you think you need to translate from rfc1918 to rfc1918 and why pfsense on your remote site would need to forward or use for dns the IP address in your tunnel?
