Manual DNS entry for a local host
-
I'm experimenting with pfSense to get a better understanding how it works.
Here's the scenario: I have several VLANs and for every VLAN one interface in pfSense. I configured my WAN interface and created rules for every VLAN-Interface to grant access to the internet thru WAN. In one of those Zones I have a host running a webserver, so I forwarded ports 80 & 443 from the WAN to the appropriate Interface. So far everything works.
Now the problem: accessing the webserver using it's public domain-name (domain.com) works from outside and from all other zones, but not from within the same zone as the webserver is in.
I'm not completely understanding why this happens. Because the domain.com is resolved to the public IP address of WAN interface. So somehow the port forward rules do not apply for requests coming from the same interface as the destination interface is.
A simple workaround would be a manual DNS entry for the webserver-host which only applies to the interface in question. Is that possible in pfSense? Or can I specify a route to the host some other way?
-
check if this is of any help
https://docs.netgate.com/pfsense/en/latest/nat/accessing-port-forwards-from-local-networks.html -
@techvic said in Manual DNS entry for a local host:
Because the domain.com is resolved to the public IP address of WAN interface.
Why don't you just use a host override in the DNS resolver or forwarder? You create the host name but use the local address. You only have to do this once and it will work with everything on your local networks.
-
@techvic said in Manual DNS entry for a local host:
So somehow the port forward rules do not apply for requests coming from the same interface as the destination interface is.
Correct, this would require an active reflection which is off by default. Consider this a hack only.
A simple workaround would be a manual DNS entry for the webserver-host ...
You nailed it, it's called host override in your DNS server and works as split DNS.
The preferred and elegant way of solving this. The linked docs show this in greater detail. -
thanks, "Method 1: NAT Refelction" was the option I was looking for ( https://docs.netgate.com/pfsense/en/latest/nat/accessing-port-forwards-from-local-networks.html )
-
Is there some reason you can't use a host override? By using NAT reflection, you're getting pfSense involved, when it doesn't have to be.
-
Using nat reflection is like putting the light switch for your bedroom out at the end of the driveway.. So every time you want to turn your bedroom light on or off you need to walk out to the end of the driveway just to come back inside.
While it works - its not very efficient ;)
-
@JKnott said in Manual DNS entry for a local host:
Is there some reason you can't use a host override? By using NAT reflection, you're getting pfSense involved, when it doesn't have to be.
I looked into that, however it expects a hostname in the scheme "hostname.domain.com", which, in my case is not possible, because "domain.com" IS the hostname. I couldn't find a way to cheat the settings-dialog accordingly. Is that possible?
-
@techvic said in Manual DNS entry for a local host:
the scheme "hostname.domain.com", which, in my case is not possible, because "domain.com" IS the hostname
Very non-common - perfect to break something.
Like you blank out the hostname here :
-
You understand that when you do that, the domain is the host and .tld is the domain right... Works just fine...
While I agree its bad practice to do that to be honest.. It works just fine...
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1 -
@techvic said in Manual DNS entry for a local host:
@JKnott said in Manual DNS entry for a local host:
Is there some reason you can't use a host override? By using NAT reflection, you're getting pfSense involved, when it doesn't have to be.
I looked into that, however it expects a hostname in the scheme "hostname.domain.com", which, in my case is not possible, because "domain.com" IS the hostname. I couldn't find a way to cheat the settings-dialog accordingly. Is that possible?
If it's a valid host name, it should work. Have you tried it to see what happens? You can put whatever valid host name you want in there, even google.com. Then any attempts to reach google will go to the address you specified.
-
@johnpoz said in Manual DNS entry for a local host:
While I agree its bad practice to do that to be honest.. It works just fine...
It may be a bad practice, but it's made necessary by NAT on IPv4. You don't have to do such a thing on IPv6, where there are plenty of addresses.
-
@johnpoz : I just tried it : my domain a mere TLD .fr and the rest of the domain as a host name.
It ... works.
Common sense is still barking to me.
