WPAD for two networks

4o4rh

@johnpoz i have plex on my nas for internal access only. the directive is there to fix an error that plex gives if it is not there. found it on the plex forum and it worked for me.

basically have three LANs, 1) media i.e. tv, kodia, playstation, etc. 2) VOIP 3) internal devices.

the voip and i.e. this forum go direct over the wan, but everything else goes over the vpn.
trying to use quid for kid friendly filtering, but squid goes over the default gateway.
That's why i had to switch the default gateway to the vpn pool.

for the voip (to ensure continuous service), i put the dns defined for the wan on the dhcp dns so it bypasses unbound

now because i have defined the outgoing interfaces as the vpn for unbound,
my challenge is openvpn doesn't resolve the host names.

The only way i can get it to work, is to put unbound in forwarding mode.
I am probably doing someone wrong in principle right?
everything was good with the wan as default, and the vpn blocked via rules when down,
but it all changed when i introduced squid to the mix

johnpoz

If unbound is not resolving using the vpn, then its the vpn as an issue, or sure some NS might block them I guess.. I would validate your queries are going out the vpn.

There should be no reason your vpn to prevent you from doing normal vpn queries down the tunnel.. Unless they only want you to use their NS..

Most vpn services are nothing more than data mining services anyway ;)

4o4rh

@johnpoz you miss understand.

the vpn client - server = myvpn.com

when pfsense starts, the vpn is not established, so unbound can't resolve myvpn.com therefore the vpn never gets established. If i set unbound to forwarding, openvpn is able to resolve myvpn.com, establish the connection and then the queries go over the vpn.

johnpoz

You would setup pfsense vpn client to use IP to connect too..

4o4rh

@johnpoz housten, i have a problem.

if i use just thing in the custom config,

the pfsense box can resolve local, and internet, however,
the clients can only resolve local and not internet.
I was thrown off a little because web browsing worked via squid which could resolve on pfsense,
but direct nslookups from clients, etc stop working.
if i comment the below out, then of course everything is working except wpad on the 2nd network.

server:
local-zone: "use-application-dns.net" static
access-control-view: 192.168.3.0/24 wpadview
view:
view-first: yes
name: "wpadview"
local-data: "wpad.my.lan. 90 IN A 192.168.3.1"

johnpoz

Those settings would have no effect on what a client can normally resolve outside your view..

I can not duplicate your issue here..

So here are my settings

server:
private-domain: "plex.direct"
local-zone: "use-application-dns.net" static
access-control-view: 192.168.3.0/24 wpadview
view:
view-first: yes
name: "wpadview"
local-data: "wpad.my.lan. 90 IN A 192.168.3.1"

I have set a different host override for my 9.0/24 lan

; <<>> DiG 9.14.4 <<>> @192.168.9.253 wpad.my.lan
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47783
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;wpad.my.lan.                   IN      A

;; ANSWER SECTION:
wpad.my.lan.            3600    IN      A       192.168.9.42

;; Query time: 1 msec
;; SERVER: 192.168.9.253#53(192.168.9.253)
;; WHEN: Sat Sep 14 11:14:22 Central Daylight Time 2019
;; MSG SIZE  rcvd: 56

Then when I query from my 3 network

; <<>> DiG 9.10.3-P4-Raspbian <<>> @192.168.3.253 wpad.my.lan
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43959
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;wpad.my.lan.                   IN      A

;; ANSWER SECTION:
wpad.my.lan.            90      IN      A       192.168.3.1

;; Query time: 0 msec
;; SERVER: 192.168.3.253#53(192.168.3.253)
;; WHEN: Sat Sep 14 11:15:34 CDT 2019
;; MSG SIZE  rcvd: 56

And it can query outside stuff just fine as well

; <<>> DiG 9.10.3-P4-Raspbian <<>> @192.168.3.253 www.google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23600
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.google.com.                        IN      A

;; ANSWER SECTION:
www.google.com.         3536    IN      A       172.217.4.36

;; Query time: 0 msec
;; SERVER: 192.168.3.253#53(192.168.3.253)
;; WHEN: Sat Sep 14 11:17:13 CDT 2019
;; MSG SIZE  rcvd: 59

And it breaks out of the view just fine as well for other stuff in the same local zone

; <<>> DiG 9.10.3-P4-Raspbian <<>> @192.168.3.253 test.my.lan
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36212
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;test.my.lan.                   IN      A

;; ANSWER SECTION:
test.my.lan.            3600    IN      A       1.2.3.4

;; Query time: 0 msec
;; SERVER: 192.168.3.253#53(192.168.3.253)
;; WHEN: Sat Sep 14 11:23:19 CDT 2019
;; MSG SIZE  rcvd: 56

edit: BTW you understand that
local-zone: "use-application-dns.net" static

has nothing to do with this right, that is related to stopping firefox from using doh, when they make it default..

4o4rh

not sure why my results are different to you with the dig, i keep getting the primary address, but if i physically connect the the 2nd network, wpad resolves to the correct address.

the only issue is seem to have now is,
if i dig to a local host with FQDN i receive an the correct IN record.
if i dig to a local host without domain i receive the IN record as root-servers

shouldn't hostname by itself resolve from the DHCP list? is there a way to make that happen?

johnpoz

@gwaitsi said in WPAD for two networks:

but if i physically connect the the 2nd network, wpad resolves to the correct address.

You have to be on that network as source to get the view.. How else did you think it worked?

Those queries are from different source boxes..

My main network is 192.168.9, my other network is 192.168.3

Those queries were done from box at 192.168.9.100, and linux box at 192.168.3.32 as source

I wasn't just changing the IP I did the query too... If you didn't understand that - they you don't understand what a view it ;)

4o4rh

@johnpoz Hi Johnno, how can you add an extra view again (for vlan) please.

server:
local-zone: "use-application-dns.net" static
access-control-view: 192.168.3.0/24 wpadview
view:
view-first: yes
name: "wpadview"
local-data: "wpad.my.lan. 90 IN A 192.168.3.1"

if i try to change the zone name or view name it gives me a syntax error

server:
local-zone: "use-application-dns.net" static
access-control-view: 192.168.4.0/24 wpadview
view:
view-first: yes
name: "wpadview"
local-data: "wpad.my.lan. 90 IN A 192.168.4.1"

johnpoz

What are you trying to do, add another view? Plus keep that one?

You can not have the same name for view.. And you only need the one server: and you don't need that use-applictaion-dns.net that has nothing to do with the view.. That is so firefox wont use doh when they turn it on..

here.. This is 2 different views

server:
private-domain: "plex.direct"
local-zone: "use-application-dns.net" static
access-control-view: 192.168.3.0/24 wpadview
access-control-view: 192.168.2.0/24 newview
view:
view-first: yes
name: "wpadview"
local-data: "wpad.my.lan. 90 IN A 192.168.3.1"
view:
view-first: yes
name: "newview"
local-data: "wpad.my.lan. 90 IN A 192.168.2.1"

The private-domain and use-application are NOT part of it, those are just in my custom..

from box on my 192.168.3 network

; <<>> DiG 9.10.3-P4-Raspbian <<>> @192.168.3.253 wpad.my.lan
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60098
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;wpad.my.lan.                   IN      A

;; ANSWER SECTION:
wpad.my.lan.            90      IN      A       192.168.3.1

;; Query time: 0 msec
;; SERVER: 192.168.3.253#53(192.168.3.253)
;; WHEN: Sat Sep 28 06:04:44 CDT 2019
;; MSG SIZE  rcvd: 56

From box on my 192.168.2.0/24 network

; <<>> DiG 9.10.3-P4-Ubuntu <<>> @192.168.2.253 wpad.my.lan
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23959
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;wpad.my.lan.                   IN      A

;; ANSWER SECTION:
wpad.my.lan.            90      IN      A       192.168.2.1

;; Query time: 0 msec
;; SERVER: 192.168.2.253#53(192.168.2.253)
;; WHEN: Sat Sep 28 06:04:08 CDT 2019
;; MSG SIZE  rcvd: 56

4o4rh

@johnpoz said in WPAD for two networks:

cool, i was wildly off course. thanks for that. need to provide the views for separate vlans.