Resolving computer names over IPSec



  • If this isn't the proper section for this question, please let me know.

    I have my IPSec tunnel set up now, going from my office to a co-location facility.  Both sites are running pfSense, and both have Windows networks.  I'm able to access machines from my office to the colo, but only by IP address.  For example, I can't say, "dir \coloServer1\data".  Rather, I have to do "dir \192.168.100.22\data".  It'd really be nice if I could access those servers by name.

    I know I could make entries in my local Hosts file for each of the machines, and I'll do that if I have to.  We have a couple dozen machines in the office, though, and you know what a mess that can be to keep updated.

    My office network is 10.77.76.xxx, and the colo is 192.168.100.xxx.

    Is there a way to set up the mappings in pfSense so that I can access the colo machines by name from the office?

    Jim



  • This is really more of a dns question than an IPSec question.
    You could do this several ways and it depends on what DNS server your machines are using.
    I would probably forward queries for the zone across the tunnel to the correct DNS server.
    eg- Let's say you have company.office and company.colo with DNS servers at .10
    On 10.77.76.30 forward queries to company.colo to 192.168.100.30 and vice-versa. If you are using the dns forwarder on pfsense, you need to create a static route for the subnet at the other end of the tunnel and point it to your LAN interface.



  • Thanks.  I thought it had something to do with static routing, but I don't have enough knowledge yet to put all the pieces together.  I'll go over to the DNS section and post my question.



  • You have to create a static route.

    Assuming that the dns server on the other side is 192.168.100.1 and your pfSense on your side is 10.77.76.1, if not ajust accordingly. Note that the network for the remote dns server is /32 and not /24.

    Interface  Network           Gateway
    LAN        192.168.100.1/32  10.77.76.1
    
    

    After that you have to go to Service -> DNS Forwarder and in the section saying "Below you can override an entire domain by specifying an authoritative dns server to be queried for that domain." you add.

    Domain      IP
    colo.local  192.168.100.1
    

    You will now have to connect to your server using \server1.colo.local\Data or whatever you used in the previous section. To avoid to write the "colo.local" you could add this to your Windows TCP/IP Advanced DNS configuration.


Log in to reply