WPAD for two networks

4o4rh

I have wpad configured for each DHCP network interface (have two 192.168.1.0 and 192.168.2.0)

I can only create one host override in DNS Resolver
e.g.
wpad.my.lan 192.168.1.1

how do i create a domain entry for the 2nd lan ?
wpad.my.lan 192.168.2.1

lncsence

for 192.168.X.X networks

my networks
192.168.0.0/22
192.168.13.0/24

function FindProxyForURL(url,host)
{
// If the requested website is hosted within the internal network, send direct.
    if (isPlainHostName(host) ||
        shExpMatch(host, "*.local") ||
        isInNet(dnsResolve(host), "192.168.0.0",  "255.255.0.0") ||
        isInNet(dnsResolve(host), "127.0.0.0", "255.255.255.0"))
        return "DIRECT";

	return "PROXY 192.168.1.1:3128";

}

192.168.1.1 my pfsense address

dhcp settings

All network working this option without domain

252 String "http://192.168.1.1/wpad.da"

192.168.0.0/22 network

192.168.13.0/24 network

4o4rh

@lncsence I mean in the DNS Resolver, Host Overrides.

currently i have as host override
Host: wpad
Domain: my.lan
Address: 192.168.1.1

but i want on the second network to return wpad.my.lan
Host: wpad
Domain: my.lan
Address: 192.168.0.1

proxy.pac, wpad.dat, wpad.da are done

function FindProxyForURL(url, host) 
{
     if (isPlainHostName(host) ||
         shExpMatch(host, "*.my.lan") ||
         isInNet(dnsResolve(host), "192.168.0.0", "255.255.255.0") ||
         isInNet(dnsResolve(host), "192.168.1.0", "255.255.255.0" ||
         isInNet(dnsResolve(host), "127.0.0.0", "255.255.255.0"))        
         return "DIRECT";
     else if (isInNet(myIpAddress(), "192.168.1.0", "255.255.255.0")) 
         return "PROXY 192.168.1.1:3128";
     else if (isInNet(myIpAddress(), "192.168.0.0", "255.255.255.0")) 
         return "PROXY 192.168.0.1:3128";
     else
         return "DIRECT";
}

johnpoz

@gwaitsi said in WPAD for two networks:

but i want on the second network to return wpad.my.lan

You could do that with a view in unbound.. Can not do it in the gui.. Would have to be done in the custom option box... While ago I had gone over this when views first became available in unbound on pfsense.. Let me see if I can dig up that old thread.

edit: here you go, any questions just ask
https://forum.netgate.com/post/684870

4o4rh

This post is deleted!

4o4rh

@johnpoz Hi John

I searched some articles, but afraid i don't catch what is going on. But i see it worked for the other chap.

server:
access-control-view: 192.168.9.100/32 testview
view:
name: "testview"
local-zone: "local.lan" static
local-data: "test.local.lan. 90 IN A 10.10.10.10"

i want hosts
wpad.local.lan 192.168.1.1
wpad.local.lan 192.168.2.1

My current options are:

server:
local-data: "local.lan. 10800 IN SOA ipfw.local.lan. root.local.lan. 1 3600 1200 604800 10800"
private-domain: "plex.direct"
include: /var/unbound/pfb_dnsbl.*conf

current host override is
wpad local.lan 192.168.1.1

if i understand correctly, the new option would look like

server:
access-control-view: 192.168.2.1 wpad
view:
name: "wpad"
local-zone: "local.lan" static ** isn't this set via the dropdown **
local-data: "wpad.local.lan" 90 IN A 192.168.1.1
local-data: "local.lan. 10800 IN SOA ipfw.local.lan. root.local.lan. 1 3600 1200 604800 10800"
private-domain: "plex.direct"
include: /var/unbound/pfb_dnsbl.*conf

cheers

johnpoz

No that is not what your access-control-view would be, that statement is a network and it wouldn't be the IP you want to hand out, that who gets that view, if you want all your clients on 192.168.2/24 to get that view then you would do

access-control-view: 192.168.2.0/24 wpad

Are you using local.lan as your network.. You stated from above that your doing my.lan. And then I see something with .local - please tell me your not suing that as your tld.. That is a horrible choice for a tld.. Even worse your using it single label like host.local

And the record in the view would be the IP you want to hand out for that record. With whatever ttl you want to set for that record, in this example 90 seconds.. You can make that whatever you want.. You prob want something a bit higher than 90 ;)

Here.. this is example lets say I am using my.lan for my network... I have a host override for wpad.my.lan in normal host overrides..

Query done from my 192.168.9.100 host

$ dig @192.168.9.253 wpad.my.lan

; <<>> DiG 9.14.4 <<>> @192.168.9.253 wpad.my.lan
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52476
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;wpad.my.lan.                   IN      A

;; ANSWER SECTION:
wpad.my.lan.            3600    IN      A       192.168.1.1

;; Query time: 0 msec
;; SERVER: 192.168.9.253#53(192.168.9.253)
;; WHEN: Fri Sep 13 05:51:36 Central Daylight Time 2019
;; MSG SIZE  rcvd: 56

Now I want say my 192.168.3/24 network resolve that to 192.168.3.1 instead..

server:
access-control-view: 192.168.3.0/24 wpadview
view:
view-first: yes
name: "wpadview"
local-data: "wpad.my.lan. 90 IN A 192.168.3.1"

Notice I set the view-first option to yes, and do not call out static for my.lan because I am using that for other stuff in host overrides. That I might also want it to resolve vs only what is the view tree.

So now if query is done from the 192.168.3/24 network for wpad.my.lan it gets back the 3.1 answer vs the 1.1 answer

Query done from 192.168.3.32 host

; <<>> DiG 9.10.3-P4-Raspbian <<>> @192.168.3.253 wpad.my.lan
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5821
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;wpad.my.lan.                   IN      A

;; ANSWER SECTION:
wpad.my.lan.            90      IN      A       192.168.3.1

;; Query time: 0 msec
;; SERVER: 192.168.3.253#53(192.168.3.253)
;; WHEN: Fri Sep 13 06:19:26 CDT 2019
;; MSG SIZE  rcvd: 56

And if it asks for something else that is in my.lan it gets back the the global answer.

; <<>> DiG 9.10.3-P4-Raspbian <<>> @192.168.3.253 test.my.lan
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46498
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;test.my.lan.                   IN      A

;; ANSWER SECTION:
test.my.lan.            3600    IN      A       1.2.3.4

;; Query time: 0 msec
;; SERVER: 192.168.3.253#53(192.168.3.253)
;; WHEN: Fri Sep 13 06:20:17 CDT 2019
;; MSG SIZE  rcvd: 56

I suggest you do your own research on how to do views in unbound, this is only a quick and dirty example of how to do your specific request of returning a different answer for queries made from a different source network.

btw if your going to want to put other options in there, your going to want them before your view stuff

example

server:
private-domain: "plex.direct"
local-zone: "use-application-dns.net" static
access-control-view: 192.168.3.0/24 wpadview
view:
view-first: yes
name: "wpadview"
local-data: "wpad.my.lan. 90 IN A 192.168.3.1"

See how have the private domain and the other local-zone above where I start the view info, if not you could run into parse errors.

You would set the zone to static if you don't want anything else in that zone my.lan to be resolved, and only return records you have in the view to clients that use that view. But if your view is for just specific overrides of specific records, while there are other records in that same zone that you do not want to override and hand out the global entries for that zone, then you would need to set the view-first, which defaults to no.

edit: btw you will notice I am directly calling out which NS IP to use in the digs, that is because clients default to asking a pihole.. And I don't want it caching any of this info, and its also in my 192.168.3 network, so it would use the test view I just created, etc..

4o4rh

@johnpoz great stuff, thanks m8.

p.s. of course i redacted my own domain details hence the mismatch between my.lan / local.lan.

wpad and sqid working on both segments. can start refining the squid config.

johnpoz

Unless your name is like your own actual name ;) Or a public one - I see no reason to obfuscate it.. I use local.lan for example.. Tells you zero about me, where I am at, etc. etc. So no reason to hide it.. And it for sure is not a public one you could look up..

Yeah the unbound adding views can come in very handy, wish they would put support for them into the gui, like they have in the bind package.. But its prob very small user base that would or could or needs to use them.. Anyone that does can just do it in the options box fairly simply..

I have no need of them to be honest, but happy to help someone else that finds a use for them. Guess they could be useful for someone that wants pfsense own Ip to resolve to the IP from that segment vs just the lan IP.. I just use sub domains, ie my dmz is dmz.local.lan and wlan.local.lan which do resolve to that networks IP..

There have been questions on how to do that in the past - next time I see one asking that question maybe I will put together a little example..

Have fun... Any other questions just ask, here to help.

4o4rh

@johnpoz hi john, below is the final custom config that i used.
i had to add a local zone, because the only way i can get dns working is with unbound forwarding.

i limit the outgoing interface to VPNs and openvpn is unable to resolve the server names unless i use forwarding.
The default route is also to the VPNs, but i have a static route to the WAN for vpnbypass hosts.
They use the DNS assigned to the wan.

Ideally, i want openvpn to resolve the host names over the WAN, but the client network to use the DNS on pfsense which goes over the VPN.

Any thoughts?

server:
private-domain: "plex.direct"
private-domain: "my.lan"
local-zone: "my.lan." static
local-data: "my.lan. 10800 IN NS localhost."
local-data: "my.lan. 10800 IN SOA pfsense. root. 1 3600 1200 604800 10800"
local-data: "my.lan. 10800 IN A 192.168.2.1"
local-data: "my.lan. 10800 IN A 192.168.3.1"

local-zone: "use-application-dns.net" static
access-control-view: 192.168.3.0/24 wpadview
view:
view-first: yes
name: "wpadview"
local-data: "wpad.my.lan. 90 IN A 192.168.3.1"

include: /var/unbound/pfb_dnsbl.*conf

johnpoz

So you run plex? And your also wanting to block firefox from using doh ;)

i want openvpn to resolve the host names over the WAN,

What host names? Some upstream NS of yours?

4o4rh

@johnpoz i have plex on my nas for internal access only. the directive is there to fix an error that plex gives if it is not there. found it on the plex forum and it worked for me.

basically have three LANs, 1) media i.e. tv, kodia, playstation, etc. 2) VOIP 3) internal devices.

the voip and i.e. this forum go direct over the wan, but everything else goes over the vpn.
trying to use quid for kid friendly filtering, but squid goes over the default gateway.
That's why i had to switch the default gateway to the vpn pool.

for the voip (to ensure continuous service), i put the dns defined for the wan on the dhcp dns so it bypasses unbound

now because i have defined the outgoing interfaces as the vpn for unbound,
my challenge is openvpn doesn't resolve the host names.

The only way i can get it to work, is to put unbound in forwarding mode.
I am probably doing someone wrong in principle right?
everything was good with the wan as default, and the vpn blocked via rules when down,
but it all changed when i introduced squid to the mix

johnpoz

If unbound is not resolving using the vpn, then its the vpn as an issue, or sure some NS might block them I guess.. I would validate your queries are going out the vpn.

There should be no reason your vpn to prevent you from doing normal vpn queries down the tunnel.. Unless they only want you to use their NS..

Most vpn services are nothing more than data mining services anyway ;)

4o4rh

@johnpoz you miss understand.

the vpn client - server = myvpn.com

when pfsense starts, the vpn is not established, so unbound can't resolve myvpn.com therefore the vpn never gets established. If i set unbound to forwarding, openvpn is able to resolve myvpn.com, establish the connection and then the queries go over the vpn.

johnpoz

You would setup pfsense vpn client to use IP to connect too..

4o4rh

@johnpoz housten, i have a problem.

if i use just thing in the custom config,

the pfsense box can resolve local, and internet, however,
the clients can only resolve local and not internet.
I was thrown off a little because web browsing worked via squid which could resolve on pfsense,
but direct nslookups from clients, etc stop working.
if i comment the below out, then of course everything is working except wpad on the 2nd network.

server:
local-zone: "use-application-dns.net" static
access-control-view: 192.168.3.0/24 wpadview
view:
view-first: yes
name: "wpadview"
local-data: "wpad.my.lan. 90 IN A 192.168.3.1"

johnpoz

Those settings would have no effect on what a client can normally resolve outside your view..

I can not duplicate your issue here..

So here are my settings

server:
private-domain: "plex.direct"
local-zone: "use-application-dns.net" static
access-control-view: 192.168.3.0/24 wpadview
view:
view-first: yes
name: "wpadview"
local-data: "wpad.my.lan. 90 IN A 192.168.3.1"

I have set a different host override for my 9.0/24 lan

; <<>> DiG 9.14.4 <<>> @192.168.9.253 wpad.my.lan
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47783
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;wpad.my.lan.                   IN      A

;; ANSWER SECTION:
wpad.my.lan.            3600    IN      A       192.168.9.42

;; Query time: 1 msec
;; SERVER: 192.168.9.253#53(192.168.9.253)
;; WHEN: Sat Sep 14 11:14:22 Central Daylight Time 2019
;; MSG SIZE  rcvd: 56

Then when I query from my 3 network

; <<>> DiG 9.10.3-P4-Raspbian <<>> @192.168.3.253 wpad.my.lan
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43959
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;wpad.my.lan.                   IN      A

;; ANSWER SECTION:
wpad.my.lan.            90      IN      A       192.168.3.1

;; Query time: 0 msec
;; SERVER: 192.168.3.253#53(192.168.3.253)
;; WHEN: Sat Sep 14 11:15:34 CDT 2019
;; MSG SIZE  rcvd: 56

And it can query outside stuff just fine as well

; <<>> DiG 9.10.3-P4-Raspbian <<>> @192.168.3.253 www.google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23600
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.google.com.                        IN      A

;; ANSWER SECTION:
www.google.com.         3536    IN      A       172.217.4.36

;; Query time: 0 msec
;; SERVER: 192.168.3.253#53(192.168.3.253)
;; WHEN: Sat Sep 14 11:17:13 CDT 2019
;; MSG SIZE  rcvd: 59

And it breaks out of the view just fine as well for other stuff in the same local zone

; <<>> DiG 9.10.3-P4-Raspbian <<>> @192.168.3.253 test.my.lan
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36212
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;test.my.lan.                   IN      A

;; ANSWER SECTION:
test.my.lan.            3600    IN      A       1.2.3.4

;; Query time: 0 msec
;; SERVER: 192.168.3.253#53(192.168.3.253)
;; WHEN: Sat Sep 14 11:23:19 CDT 2019
;; MSG SIZE  rcvd: 56

edit: BTW you understand that
local-zone: "use-application-dns.net" static

has nothing to do with this right, that is related to stopping firefox from using doh, when they make it default..

4o4rh

not sure why my results are different to you with the dig, i keep getting the primary address, but if i physically connect the the 2nd network, wpad resolves to the correct address.

the only issue is seem to have now is,
if i dig to a local host with FQDN i receive an the correct IN record.
if i dig to a local host without domain i receive the IN record as root-servers

shouldn't hostname by itself resolve from the DHCP list? is there a way to make that happen?

johnpoz

@gwaitsi said in WPAD for two networks:

but if i physically connect the the 2nd network, wpad resolves to the correct address.

You have to be on that network as source to get the view.. How else did you think it worked?

Those queries are from different source boxes..

My main network is 192.168.9, my other network is 192.168.3

Those queries were done from box at 192.168.9.100, and linux box at 192.168.3.32 as source

I wasn't just changing the IP I did the query too... If you didn't understand that - they you don't understand what a view it ;)

4o4rh

@johnpoz Hi Johnno, how can you add an extra view again (for vlan) please.

server:
local-zone: "use-application-dns.net" static
access-control-view: 192.168.3.0/24 wpadview
view:
view-first: yes
name: "wpadview"
local-data: "wpad.my.lan. 90 IN A 192.168.3.1"

if i try to change the zone name or view name it gives me a syntax error

server:
local-zone: "use-application-dns.net" static
access-control-view: 192.168.4.0/24 wpadview
view:
view-first: yes
name: "wpadview"
local-data: "wpad.my.lan. 90 IN A 192.168.4.1"