Rookie question, how to get firewall to answer to it's name



  • The firewall is running on 192.168.1.1.  I cannot seem to be able to use the hostname and domain (firewall.home) to be able to access the box.  It answers fine on 192.168.1.1, however, nothing resolves on firewall.home.

    My firewall (pfSense 2.3.4) is running on 192.168.1.1.  My router is running on 192.168.2.1 and is connected to the LAN port of the firewall.  My router is configured with gateway and DNS both on 192.168.1.1 (the firewall), so I think all the DNS lookups are going through.

    Unfortunately, when I go to http://firewall.home, the name does not resolve.  On pfSense, I am using DNS Resolver (unbound) to handle DNS processing.  So, how do I tell unbound or configure pfSense to answer to its name?

    My other machines are plugged into the router and do not actually use the domain.  So, the router is called "gate", and I can just do http://gate to get to it.  But that's handled by DD-WRT.  The router obviously does not know about the firewall, however, should it not send out DNS request to 192.168.1.1 and the unbind service should just see that I am looking for "firewall.home" and respond with 192.168.1.1?  In fact, I rather reference my firewall machine just as http://firewall.

    I must be missing something regarding the workings of the DNS.

    Any help would be appreciated for this trivial, but yet frustrating issue.



  • In my case, I had to add the GUI port number to the end of the string:  "http://firewall.home:445" (your's might be something else (like 80)).



  • It's more basic than that.  The firewall.home is not being resolved.  So, if I do a ping of firewall.home, I get: ping: cannot resolve firewall.home: Unknown host.  So, the DNS is not resolving plain and simple.  Obviously, external DNS addresses resolve just fine as I am able to browse the external site.

    The router is doing its job since I can use router's DNS to reach it at http://gate.  However, when the router does not know of the firewall.home, it supposed to send the request to DNS, just like for an external site.  Here is where the pfSense DNS Resolver should figure it out and return 192.168.1.1.

    But this is not happening, apparently.



  • Ok, it's getting a bit more interesting.

    If I execute dig to the firewall:

    dig @192.168.1.1 gate.home    (it works!, the name resolves)
    dig @192.168.1.1 firewall.home  (it works! the name resolves)

    However, if I execute dig to the router:
    dig @192.168.2.1 gate.home (does not work), but just gate, works fine
    dig @192.168.2.1 firewall.home (does not work)

    So, while the pfSense has entries for it's self and the single client (router) connecting on a lan port, the router is not forwarding the request to pfSense when I try to resolve firewall.home?  However, external host addresses seem to work just fine…


  • LAYER 8 Global Moderator

    "My router is running on 192.168.2.1 and is connected to the LAN port of the firewall. "

    Huh?  So you have a wifi router behind pfsense doing NAT?  Why??

    Where is internet in this setup?  Pfsense has a public IP on its wan?



  • Right, so

    cable modem <–-> (wan) pfSense (lan) <---> (wan) wireless router <---> (my network is here)
    (WAN)                    (DNSResolver/DHCP)            (DNS Masq/DHCP)                  192.168.2.*                       
    (DHCP)                        192.168.1.1                      192.168.2.1                 
    Public IP

    When network devices use DHCP to get their address the router allows them to be accessed by their short name.  The internet browsing works fine and public DNS resolves correctly.  However, for some reason, I cannot see the firewall.home (which is the name I gave to the pfSense machine).


  • LAYER 8 Global Moderator

    Why in the world would you do it that way??  Just use your wifi router as AP.. What your doing there makes ZERO sense.. Why would you double nat??  No shit your going to have dns issue with that sort of setup..



  • Thanks for your answer.

    Perhaps I am not familiar enough with pfSense or super paranoid that if an issue is indeed found with pfSense I would have another level of firewall available.  Whatever the issue is, your answer does not quite explain why I would be having and issue with a single DNS resolution.  And it's not multiple DNS issues, as external IP(s) and those registered to the router directly resolve just fine. It's a single DNS resolution of the firewall which does not quite work.  I can get around it by just visiting http://192.168.1.1, but I was looking to find out what specifically makes it not work.

    I understand that I can simply connect the router to the switch which is attached to the LAN port of the pfSense firewall, however, I wanted a slightly different configuration. It works fine, except for the minor DNS issue which I was trying to understand.


  • LAYER 8 Global Moderator

    Where is your router behind pfsense forwarding too for dns?  To pfsense for dns?  And your looking up what fqdn?? firewall.home?

    Does it actually forward that?  Many a soho router dns is utter crap and intercepts specific stuff to send you to its own gui, etc.

    However, if I execute dig to the router:
    dig @192.168.2.1 gate.home (does not work), but just gate, works fine
    dig @192.168.2.1 firewall.home (does not work)

    This tells you right here its the router not forwarding what you asked it to pfsense for resolution.. Maybe it thinks it .home, etc.  Why not just have all your clients directly use pfsense for dns??  Your asking your router, who just forwards to pfsense anyway for zero reason!!



  • The router is behind the pfSense running a fairly recent version of DD-WRT with DNSMasq handling the DNS.  It's also handing out DHCP addresses in the 192.168.2/32 network.  The DHCP on the router gives out the address and registers the machine with DNSMasq so that I can reference machines by name.

    cable modem <–-> (wan) pfSense (lan) <---> (wan) wireless router <---> (my network is here)
    (WAN)                    (DNSResolver/DHCP)            (DNSMasq/DHCP)                  192.168.2./32                       
    (DHCP)                        192.168.1/32                    192.168.2/32                 
    Public IP

    The router is configured to use 192.168.1.1 as it's DNS, pfSense get's its DNS from the DHCP connection via the cable modem.  When I access a local device connected to the router, the router is able to resolve the name and return the IP address in the 192.168.2/32 network of the device connected to it.

    When I request a public name, such as pfsense.org, for example, the router forwards the request to pfSense which then does whatever it does to resolve the address.

    However, and only in one case, when I try to resolve the name.domain of the firewall (which is currently set to firewall.home), the name is not getting resolved.

    Sure, I can put my router into an access point mode and just have the firewall do everything, but I am trying to get the configuration with double firewall working in my case.  It's not urgent or anything, it just bugs me that I cannot resolve the firewall by name.  I can continue using 192.168.1.1 to address the firewall for the rest of the time, it's just irking me that I don't understand why it does not work.


  • LAYER 8 Global Moderator

    It doesn't work because its not being forwarded.. So look to why dd-wrt is not forwarding it.

    Clearly ask pfsense when you do your dig.. So that works you showed that it did.. So whe nyou ask your dd-wrt router.. It would forward it - does it get the answer?  Sniff on pfsense..  It quite possible dd-wrt is doing rebind protection.. Its asking its upstream dns, and it returns rfc1918.. Which is normally a rebind attack..

    Pfsense will not return rfc1918 from upstream..  Neither the forwarder or resolver will do that unless you turn off rebind protection.

    But what your doing is just completely utterly pointless!!  What exactly do you think its protecting you against running a double nat setup??



  • The question: "What exactly do you think its protecting you against running a double nat setup??" is actually a good one.  As I mentioned, I am not familiar with pfSense, so, I don't know if I have it setup correctly or not.

    Perhaps this following part belongs in the FireWall section, however, I don't have any rules which allow any connections to come in from outside.  When I look at the firewall logs, I do see a lot of requests are being dropped.  That's good.  However, when I look at the DD_WRT incoming log table, I also see some external IP(s) being dropped as well.

    Here are the rules and the screenshot of the incoming log table from the router running DDWRT.  What I don't understand, is that if the firewall is supposed to block any connection requests, why are things still getting to the router?

    Perhaps, this should now be in the Firewall section of the forum, but this explains my paranoia of having a "double-firewall" setup.  I guess I just don't quite understand this stuff fully yet.

    ![Screen Shot 2017-05-13 at 2.20.34 PM.png](/public/imported_attachments/1/Screen Shot 2017-05-13 at 2.20.34 PM.png)
    ![Screen Shot 2017-05-13 at 2.20.34 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-05-13 at 2.20.34 PM.png_thumb)
    ![Screen Shot 2017-05-13 at 2.21.09 PM.png](/public/imported_attachments/1/Screen Shot 2017-05-13 at 2.21.09 PM.png)
    ![Screen Shot 2017-05-13 at 2.21.09 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-05-13 at 2.21.09 PM.png_thumb)
    ![Screen Shot 2017-05-13 at 2.21.37 PM.png](/public/imported_attachments/1/Screen Shot 2017-05-13 at 2.21.37 PM.png)
    ![Screen Shot 2017-05-13 at 2.21.37 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-05-13 at 2.21.37 PM.png_thumb)



  • If it is just the one entry, I would just put this in dd-wrt

    Services->Services Management->DNSMasq->Additional DNSMasq Options

    address=/firewall.home/firewall/192.168.1.1
    ptr-record=1.1.168.192.in-addr.arpa,"firewall.home"


  • LAYER 8 Global Moderator

    Those are prob out of state drops.. Ie something you created a connection too, and then did not correctly close the connection or whatever and or the state expired so dd-wrt droppped it.

    Those ports 57839 and 57849 look to be source port for some connection you had created from a client behind dd-wrt..

    Both of those Ips are owned by amazon, they resolve to a compute-1.amazonaws.com domain.  Many software packages would connect to those networks, phone home - shoot could of been you watching amazon prime video or music, etc.

    The only traffic that would get through to your dd-wrt wan would be something you forwarded, which clearly your not doing.  So the only thing else it would be would be answer to traffic you created.  So things would get dropped if you have issue with states expiring with connections not being closed correctly..

    There is no point to running behind a double nat as any form of extra security.. And if anything can cause you problems with certain protocols, can cause issues with state tables getting out of state.. Especially if you rebooted say your dd-wrt, all the states would be gone on the dd-wrt but would still be open on pfsense and traffic what was answers to what you wanted would still be forwarded by pfsense and then dropped at dd-wrt.

    dd-wrt log doesn't even show you that flags on those packets - where they SYN, where they ACK?  I would assume they are just out of state..  And then yes they should be dropped.. But pfsense would do the same thing with out of state traffic..

    See this doc
    https://doc.pfsense.org/index.php/Why_do_my_logs_show_"blocked"_for_traffic_from_a_legitimate_connection


Log in to reply