DNS: resolving pfSense address

aronese

Hi all,
I run pfSense 2.2.3 on a box with 3 port: wan, lan with 8 vlans, and a third port not used.
The LAN manages 8 vlans on a “router on a stick” configuration.
See attachments number 1 + 2 .

Each vlan has a distinct subnet with this pattern:

vlan 10 for subnet 192.168.10.0/24
vlan 20 for subnet 192.168.20.0/24
and so on.

It works fine but there is a thing that I cannot understand.

The switches and the fw on the net have their interfaces on “Management vlan” for administration purposes (see picture 3 + 4), and I want to deny access to them from Wifi_Famiglia net.
To do this I defined a rule on Wifi_Famiglia – see the second rule on picture number 5.

This rule works fine, that is with a clien on Wifi_Famiglia net I can't reach the Management net except…..

….except pfSense itself !
pfSense has one vlan on the Management net ( 192.168.99.1 ) and it remains reachable from Wifi_Famiglia (despite the previous deny rule) through another vlan (example from 192.168.10.1).
That is, if I open http://pfsense.casaren (“casaren” is my local domain) I can reach pfsense even from Wifi_Famiglia net.

Why ?

Trying to understand the problem, I checked how the pfsense.casaren address was resolved: see picture 6.

So the question is: why the pfsense address is this ? I mean: on 192.168.10.0/24 net? (Lan_Default vlan)
Where I could have defined this address in pfsense?

I use simple definitions for the dns section:

Dns on General setup – picture 7
Dns forwarder not enabled - 8
Dns resolver - 9

So I'm a bit confused, and I do not understand where pfsense take that 192.168.10.1 address for him. That is: why not the 192.168.99.1 on the management vlan? or the 192.168.220.1 that is the gateway for the Wifi_Famiglia net ?

Thanks in advance for any help.

Andrea

![1 - Interfaces.png](/public/imported_attachments/1/1 - Interfaces.png)
![1 - Interfaces.png_thumb](/public/imported_attachments/1/1 - Interfaces.png_thumb)
![2 - Assigned interfaces.png](/public/imported_attachments/1/2 - Assigned interfaces.png)
![2 - Assigned interfaces.png_thumb](/public/imported_attachments/1/2 - Assigned interfaces.png_thumb)
![3 - Interface Wifi_Famiglia.png](/public/imported_attachments/1/3 - Interface Wifi_Famiglia.png)
![3 - Interface Wifi_Famiglia.png_thumb](/public/imported_attachments/1/3 - Interface Wifi_Famiglia.png_thumb)
![4 - Interface Management.png](/public/imported_attachments/1/4 - Interface Management.png)
![4 - Interface Management.png_thumb](/public/imported_attachments/1/4 - Interface Management.png_thumb)
![5 - Rule on Wifi_Famiglia.png](/public/imported_attachments/1/5 - Rule on Wifi_Famiglia.png)
![5 - Rule on Wifi_Famiglia.png_thumb](/public/imported_attachments/1/5 - Rule on Wifi_Famiglia.png_thumb)
![6 - Dig.png](/public/imported_attachments/1/6 - Dig.png)
![6 - Dig.png_thumb](/public/imported_attachments/1/6 - Dig.png_thumb)
![7 - dns general setup.png](/public/imported_attachments/1/7 - dns general setup.png)
![7 - dns general setup.png_thumb](/public/imported_attachments/1/7 - dns general setup.png_thumb)
![8 - host overrides.png](/public/imported_attachments/1/8 - host overrides.png)
![8 - host overrides.png_thumb](/public/imported_attachments/1/8 - host overrides.png_thumb)
![9.1 - Dns resolver.png](/public/imported_attachments/1/9.1 - Dns resolver.png)
![9.1 - Dns resolver.png_thumb](/public/imported_attachments/1/9.1 - Dns resolver.png_thumb)
![9.2 - Dns resolver.png](/public/imported_attachments/1/9.2 - Dns resolver.png)
![9.2 - Dns resolver.png_thumb](/public/imported_attachments/1/9.2 - Dns resolver.png_thumb)

rudelerius

Perhaps take a look at the default lockout rule under the firewall rules?