All domains resolve to PfSense GUI

johnpoz

@halfhidden said in All domains resolve to PfSense GUI:

I'm guessing that DNS can't reach the local ip and therefore can't resolve to the VPN client I've pointed the resolver to.

Where are you pointing the vpn client too? If IP of pfsense unbound is listening on - you will have to adjust your ACLs in unbound to allow for that tunnel IP your vpn client is using to be able to query it.

edit: where did you come up with blerg? ;) foo is a common obfuscation sort of name ;) hehehe

KOM

@johnpoz To each their own. foo didn't occur to me even though I've seen it a zillion times.

johnpoz

blerg? hehee - we could see if we could get that added to the wiki page ;)

https://en.wikipedia.org/wiki/Metasyntactic_variable

KOM

@johnpoz I think it's funny that there just happens to be a blerg.co.uk.

Halfhidden

@johnpoz said in All domains resolve to PfSense GUI:

Where are you pointing the vpn client too? If IP of pfsense unbound is listening on - you will have to adjust your ACLs in unbound to allow for that tunnel IP your vpn client is using to be able to query it.

This is what I've done. I've not altered the ACLs at all.
Thanks both of you.
Really appriciate your help.

KOM

@halfhidden Well, I don't know what exactly you're trying to accomplish and you didn't answer any of my last questions so I'm not sure how much more helpful I can be. Maybe if you start from the beginning and explain what you want to do.

johnpoz

@kom I took his last reply that he fixed his acls and he now working how he wants.

KOM

@johnpoz If so then good. As long as it works.

Halfhidden

OK I apologise for this. I honestly though I'd fixed this. Clearly I've made no change to the situation.
After reaching for the Jack Daniels to celebrate a small victory, I realised I was actually testing the domains from a laptop that was connected to the internal DHCP of PfSense and yes the domains resolved, but from external requests they don't.

"What is the authoritative DNS"
The dns is set with http://freedns.centos-webpanel.com/
I've only set the @ "A" record to the static ip from my ISP and www "CNAME" to @ (and basic settings for FTP, MX and so on)
I'm trying to resolve the domain cloud.lescudjack.co.uk to an internal ip of 192.168.1.108 that is a Nextcloud VPN on Esxi 6.7
I'm also trying to resolve the domain lescudjack.co.uk to an internal ip 192.168.1.101 and that is the internal ip for Esxi.

Right now if I connect to the network that PfSense issues DHCP from. I can type in those domains and they resolve to the correct domain name and are completely accessible. If I try the same from a computer not connected to the internal PfSense network, then the same domain names do resolve to the domain, but instead of seeing the vpn as expected, I get this:

As an example cloud.lescudjack.co.uk should resolve to the NextCloud vpn, it resolves to the main GUI of Pfsense instead.

In DNS resolver/access lists I added the subdomain for cloud.lescudjack.co.uk and then put in the local ip and allowed the rule.

I know the domain and ip's shouldn't be posted on open forums, but if this is resolved then the domain will be used elsewhere (change dns) and the internal ip's changed to a different subnet.

KOM

@halfhidden Clients from the Internet can't route to private IP addresses. Even if you set your external DNS to reply to those queries with 192.168.x.y, clients won't be able to go there.

What are you trying to do?

For example, if you're trying to get Internet clients to be able to reach a server on your LAN, you do that via a NAT port-forward.

Halfhidden

@kom said in All domains resolve to PfSense GUI:

What are you trying to do?
For example, if you're trying to get Internet clients to be able to reach a server on your LAN, you do that via a NAT port-forward.

Yes that is what I'm trying to achieve, but I'm keen not to have to do this by way of ports that the user (internet side user) has to add ports to the end of the domain.
Example cloud.lescudjack.co.uk:2003

KOM

@halfhidden OK so then you want to set your external DNS records for your domain so that cloud.lescudjack.co.uk resolves to your pfSense WAN IP. From there, you create a port-forward that forwards traffic on a specific port to a server on your LAN.

How to Set Up Port Forwarding in pfSense Software

How To Setup Port Forwarding on pfsense 2.4

Port Forwards

Troubleshooting NAT Port Forwards

johnpoz

;; ANSWER SECTION:
cloud.lescudjack.co.uk. 86400 IN A 78.33.200.127

Is that pfsense public IP?

Not sure what to make of this

but instead of seeing the vpn as expected

Are you trying to route traffic through a vpn to get to your port forwards?

Where are you port forwards and firewall rules? Yeah if you open up your firewall on wan and hit its IP from the public on the right port the gui will be served.

Halfhidden

Hi guys,
Thanks. I haven't created any rules to port forward traffic from the WAN to Lan (Not sure what the hell I was thinking).

Yes PfSence won't be public facing once I re-set up the lab. I don't see any benefit from having web access to either Esxi or PfSense, so I'll make sure that they are set up on private ip's when I do set it all back up.

I do have to thank you both for helping. I can't believe how dumb I've been with this.