Split DNS and Port Forwarding to web server on DMZ

drexlock · Aug 20, 2017, 8:11 PM

I have a web server running NextCloud setup on my DMZ with the address 10.10.0.10 and want requests sent to drive.example.com on the LAN and WAN sent to the DMZ address. I tried setting up host override under DNS Resolver but when I browse to drive.example.com I hit a DNS Rebind Error on the pfsense page, when I disable DNS rebind drive.example.com takes me to the pfsense login page. I'm sure this isn't an uncommon setup but I've been having a heck of a time fining a guide using DNS resolver online that shows how ti set this up properly.

Derelict · Aug 20, 2017, 8:16 PM

Set your inside DNS (DNS Resolver) for drive.example.com to 10.10.10.10 using a host override.

Set your outside DNS for drive.example.com to the outside IP address that is port-forwarded to 10.10.10.10.

Nothing will ever hit anything listening on pfSense and there will be no rebind error.

drexlock · Aug 21, 2017, 10:32 PM

Thanks, I tried that but when I browse to drive.example.com I'm taken to the admin page of the pfsense box. What's weird is that when i setup example.com to forward to 10.10.0.10 I don't get the pfsense admin page, I get the "Site cant be reached error". I have drive.example.com forwarded with a dynamic DNS to my network but don't have example.com setup the same way.

Right now my Firewall rules are set to:

LAN

- - LAN Address 443/80 * *
    IPV4 LAN * * * * Allowed to any rule
    IPV6 LAN * * * * Allowed to any rule

DMZ
IPV4+6 DMZ Net * LAN Net * *
IPV4 TCP/UDP DMZ Net * * 53
IPV4 TCP DMZ Net * * 80
IPV4 TCP DMZ Net * * 443

Derelict · Aug 21, 2017, 11:43 PM

Then you are not redirecting to the right place and/or are doing it wrong.

What is your LAN address and netmask?

What is your DMZ address and netmask?

What is the inside, real IP address of the host serving the nextcloud?

What is the inside, real IP address of the host you are testing from?

When that test host looks up the DNS for your nextcloud server name, what is returned?

Are you running squid or any other such nonsense on the firewall?

drexlock · Aug 22, 2017, 9:20 AM

I figured out the issue by going to another machine, it was not a pfsense configuration issue but a workstation issue. My workstation had been set to always use Google DNS and wasn't polling the pfsense box at all. So no matter what I changed in pfsense it wouldn't impact my testing machine.