Split DNS and Port Forwarding to web server on DMZ



  • I have a web server running NextCloud setup on my DMZ with the address 10.10.0.10 and want requests sent to drive.example.com on the LAN and WAN sent to the DMZ address. I tried setting up host override under DNS Resolver but when I browse to drive.example.com I hit a DNS Rebind Error on the pfsense page, when I disable DNS rebind drive.example.com takes me to the pfsense login page. I'm sure this isn't an uncommon setup but I've been having a heck of a time fining a guide using DNS resolver online that shows how ti set this up properly.


  • Netgate

    Set your inside DNS (DNS Resolver) for drive.example.com to 10.10.10.10 using a host override.

    Set your outside DNS for drive.example.com to the outside IP address that is port-forwarded to 10.10.10.10.

    Nothing will ever hit anything listening on pfSense and there will be no rebind error.



  • Thanks, I tried that but when I browse to drive.example.com I'm taken to the admin page of the pfsense box. What's weird is that when i setup example.com to forward to 10.10.0.10 I don't get the pfsense admin page, I get the "Site cant be reached error". I have drive.example.com forwarded with a dynamic DNS to my network but don't have example.com setup the same way.

    Right now my Firewall rules are set to:

    LAN

        • LAN Address 443/80 * *
          IPV4 LAN * * * * Allowed to any rule
          IPV6 LAN * * * * Allowed to any rule

    DMZ
    IPV4+6 DMZ Net * LAN Net * *
    IPV4 TCP/UDP DMZ Net * * 53
    IPV4 TCP DMZ Net * * 80
    IPV4 TCP DMZ Net * * 443


  • Netgate

    Then you are not redirecting to the right place and/or are doing it wrong.

    What is your LAN address and netmask?

    What is your DMZ address and netmask?

    What is the inside, real IP address of the host serving the nextcloud?

    What is the inside, real IP address of the host you are testing from?

    When that test host looks up the DNS for your nextcloud server name, what is returned?

    Are you running squid or any other such nonsense on the firewall?



  • I figured out the issue by going to another machine, it was not a pfsense configuration issue but a workstation issue. My workstation had been set to always use Google DNS and wasn't polling the pfsense box at all. So no matter what I changed in pfsense it wouldn't impact my testing machine.