DNS Forwarder on LAN2 (OPT2) Interface



  • I've setup a 6-zone PFSENSE box for a local library (see text diagram below).

    I have DHCP running on the 3 internal interfaces (LAN, LAN2, WIFI).

    DNS Forwarder works fine for LAN - the DHCP assigns host names, and the host file entries resolve correctly for workstations on LAN.

    DNS Forwarder does not seem to work on LAN2 (OPT2).  The DHCP part works - and both dynamic and fixed IP's are assigned correctly for workstations on LAN2.

    But, if I setup the LAN2 NIC address as the DHCP DNS SERVER address - it correctly assigns that as the DHCP DNS address - but workstations have NO name resolution - for both normal FQDN via DNS nor local Hostnames via the HOSTS file entries.

    If I setup external DNS servers (i.e. OpenDNS) in the DHCP settings for LAN2, then the workstations on LAN2 correctly resolve external FQDN via DNS, but they do not resolve any of the local hosts (which is bad since printers are currently setup via hostname not IP)

    Does DNS Forwarder work on OPT interfaces?  And if so, what did I do wrong (or omit) in my setup such that it doesn't work?

    6-Zone PFSENSE (v1.2 02/24/2008)

    [WAN] xxx.xxx.115.29/29  -  [WAN2/OPT1] xxx.xxx.105.162/27
    [WIFI/OPT4] 10.1.1.254/24 (GW-WAN)  -  [DMZ/OPT3] 192.168.3.1/24 (GW-WAN2)
    [LAN] 192.168.1.254/24 (GW-WAN)  -  [LAN2/OPT2] 192.168.10.254/24 (GW-WAN2)



  • I've got the exact same situation here I believe. It's a 4-zone configuration, so I use vonskippy's configuration as example (just without the WIFI and DMZ interfaces).

    After setting up Multi-Wan, the second LAN interface (OPT1) could not resolve DNS names.
    The default DNS server IP, provided by the DHCP server, is the firewall (gateway) itself (192.168.10.1). However, the DNS forwarder can't be reached at this address from this subnet.
    If I do an nslookup from the default LAN (say 192.168.1.123) and set the server to the firewall's OPT1 interface ip-address (192.168.10.1), it just works!

    So the DNS forwarder listens at 192.168.10.1, but can't be reached from is own subnet however it can be reached from another subnet. Isn't that strange?

    Now I use the following workaround: the DHCP server at LAN2 provides the firewall's LAN interface as DNS server.
    In the General Setup, the following DNS servers are configured:
    Primary: DNS server of Internet Service Provider 1 at WAN
    Secondary: DNS server of Internet Service Provider 2 at WAN2
    And there's a static route for interface LAN2 to WAN2_DNS_SERVER_IP/32 with gateway 192.168.1.1 (firewall LAN interface)

    Ain't too brilliant. :-\



  • I think I know why.
    If you use another gateway on a opt lan you will need a rule to connect to the local service running on your pfSense box.
    Look at the attach pictures on howto.
    Some related posts when using OpenDNS in a multiwan environment.
    http://forum.pfsense.org/index.php/topic,11352.msg62858.html#msg62858
    http://forum.pfsense.org/index.php?topic=10793.0






  • @Perry:

    If you use another gateway on a opt lan you will need a rule to connect to the local service running on your pfSense box.

    Ah, right! It's too obvious once you know. I've added the 'Use default gateway for DNS' rule (picture below) and now it works!
    I don't know why I should block DNS queries to other destinations, so I disabled this rule. Is this because you won't allow people to change their DNS themselves?

    OpenDNS is interesting also, although I'm not too sure this service is useful for our company.

    Many thanks!




  • Correct
    Using OpenDNS is a easy way to avoid site's with spyware and phishing.


Log in to reply