.local across subnets



  • I haven't even recieved all my pfSense hardware yet so I am just planning the build. I have a very small home network. My plan is to have 3 vlans/subnets:

    10.0.0.x - Main Wired
    10.0.1.x - Main Wireless
    10.1.0.x - Guest Wireless

    Hardware - pfSense router, layer 2 switch, Ubiquiti access point (both wireless vlans)

    With my current off the shelf router, I use xx.local to access my devices. This is nice because it is short. Is it possible to make this work across the main wired and main wireless subdomains? Even so, is is not going to be worth the hassle to setup? Should I just use 1 vlan with 225.225.0.0 subnet?

    Also, I have a domain name with lots of subdomain names. Only one points to my home network: home.example.com. For the router domain name, should I use example.com? I don't really want to have to enter nas.example.com for accessing my nas internally (for times when .local doesn't work). home.example.com just points to the pfsense router which is running a VPN, nothing else will be open.

    Thanks for the help! :)



  • You should use something other than .local as your domain, since mDNS clients will have issues otherwise. Things will "just work" then, without any complications from .local.



  • @cmb:

    You should use something other than .local as your domain, since mDNS clients will have issues otherwise. Things will "just work" then, without any complications from .local.

    That's what I figured. Guess it is time to start getting used to nas.lan, xyz.lan, etc. Thanks.


  • Rebel Alliance Global Moderator

    I wouldn't use that either, that is single label and has its own issues.  Why not something like local.lan so you have nas.local.lan as the fqdn..



  • @johnpoz:

    …that is single label and has its own issues...

    Really, which? Would you mind to educate me. (I'm NOT sarcastic here!)

    Domain names are cheap these days, so why not get something like you street address abbreviated and use that?
    So if you live in 1234 Prime Circle Street get something like pcs1234.net and make that your local domain. If your hosting provider offers a DynDns service you can as well have your pfSense register its address for something like pfs.pcs1234.net so you can reach your network from outside. Or a local web-server, mail server, VPN, …



  • @jahonix:

    @johnpoz:

    …that is single label and has its own issues...

    Really, which? Would you mind to educate me. (I'm NOT sarcastic here!)

    Domain names are cheap these days, so why not get something like you street address abbreviated and use that?
    So if you live in 1234 Prime Circle Street get something like pcs1234.net and make that your local domain. If your hosting provider offers a DynDns service you can as well have your pfSense register its address for something like pfs.pcs1234.net so you can reach your network from outside. Or a local web-server, mail server, VPN, …

    So I have a public domain name. One of the subnets is pointed to my home network. The other subnets and root domain aren't. I could make home.example.com my domain but that would require typing nas.home.example.com. I would love to do this because I could get a wildcard ssl for *.home.example.com and not have to do with my own CA or self-signed certificates. Only the router is open to the internet but I could have "public ready" ssl certificates for all my devices. The problem is just the really long name. I want to make something short like nas.local work. Of course this won't work with ssl certificates however.



  • I guess I could also do example.com as my domain. I don't have many subdomains or devices so I could make sure that not internal hostnames match external subdomains. This would be best for SSL as I can use 1 ssl everywhere. It is still pretty long but might be worth it.

    Thoughts?


  • Rebel Alliance Global Moderator

    While I agree there are many a cheap domains in old/newer tlds you can get.. I got a domain in .xyz for 2 cents for the first year ;)  But its not going to be that next year for sure..  Its for local stuff, it will never have need to be resolved on the public so there really is no need to register a domain for local use.  Just use a domain with a tld that is unlikely to ever be used and your good to go.  While if you have the $ you can register any tld pretty much I doubt .lan would make sense as a public tld so that is pretty safe.

    As to use of single label..
    MS does not recommend it that is for sure.  It can cause major problems in forests and trusts with AD..

    Here is the thing with dns, "." is the root right… so typical breakdown is host.sub.domain.tld that end in the root "."  Where you have the hostname and the domain name which makes up the fully qualified domain name or host.domain.tld. where that ending . if not there is implied.

    So from the left of root "." the first label is the TLD or top level domain. you then have the domain that is a sub of the tld.  This is the actually the first label that allows you to differentiate your namespace from the rest of the tld.. If your joining your hostname and your tld, your actually missing your "domain" ;)

    so if you have nas.something. as your fqdn where is your host name?  you have a domain name "nas" and the tld "something" there but no host ;)  A fqdn is host plus domain.  A domain is label.tld.

    There is nothing saying you can not do that.. The rfc's are pretty open to doing whatever you want on your own network.  Keep in mind that you might have issues with your resolver resolving what your trying to resolve if your not using normal convention.



  • Thanks, AD was what I was missing.

    I can get .de TLDs for as low as €0,79 a month over here (€0,25 in the first year).


  • Rebel Alliance Global Moderator

    And the problem with using a public domain locally, ie something with a public tld.  Should that only be resolved locally or should part of it be resolved locally and part of it public?

    If you want to register a domain on the public side so no one can use it that makes sense.  But to actually use it locally I don't see the point.  Many companies will for example register pretty much all the tlds or atleast back when it ws more viable .com, .net, .org and the countries they do business in, etc. like .us or .de sure.

    But if they are using .com on the public side its better to use .net locally, etc.

    So for example with the use of suffix searches if someone looks for hostname and suffix of local.lan gets added it and that is not found locally should the resolver try and resolve it on the public side  Or they look actually do server.local.lan but forget the trailing root . in their search and suffix search asks for server.local.lan.local.lan should that be sent upstream by your forwarder or resolver?  The resolver defaults to transparent which does do that.  I change it to static so it doesn't do that - so anything that I ask that ends in local.lan goes no farther than my local resolver unbound running on pfsense.



  • @johnpoz:

    And the problem with using a public domain locally, ie something with a public tld.  Should that only be resolved locally or should part of it be resolved locally and part of it public?

    If you want to register a domain on the public side so no one can use it that makes sense.  But to actually use it locally I don't see the point.  Many companies will for example register pretty much all the tlds or atleast back when it ws more viable .com, .net, .org and the countries they do business in, etc. like .us or .de sure.

    But if they are using .com on the public side its better to use .net locally, etc.

    So for example with the use of suffix searches if someone looks for hostname and suffix of local.lan gets added it and that is not found locally should the resolver try and resolve it on the public side  Or they look actually do server.local.lan but forget the trailing root . in their search and suffix search asks for server.local.lan.local.lan should that be sent upstream by your forwarder or resolver?  The resolver defaults to transparent which does do that.  I change it to static so it doesn't do that - so anything that I ask that ends in local.lan goes no farther than my local resolver unbound running on pfsense.

    So for a home network what is the best thing to do? I have a domain name and I am definitely going to point a subdomain to my house and use dynamic dns to ensure it stays there. I currently only need this for 2 things: the VPN running on the router and a single service running on one of the servers in my home. The root domain and other subdomains are used in the internet.

    It seems like the options discussed are:
    .lan
    .internal.lan
    .example.com
    .home.example.com

    My router gets here tomorrow! :)