internal dns server

kramtw

Hi
i've got a mac mini server i am using as a mail, web and dns server now that i have the pfsense working i am no longer able to get to those services via dns anymore i have to use the ip address of the host server instead. how do i setup pfsense to pass the computers on the local network to still work with the dns

thanks

Grimson

RTFM https://www.netgate.com/docs/pfsense/

johnpoz

If you have internal dns, then your clients should point to your internal dns.

Or you would need to setup pfsense to use domain override so it knows where to resolve said domain. If your going to point your clients to pfsense for dns. I am kind of with Grimson here - this is basic 101 stuff for anyone that is running a mail/web/dns server - if you have questions on how to do something specific it is in the docs. Or please ask your specific question on how to do xyz, etc.

kramtw

yes i agree it is 101 to be able to set this up as i was able to do so when it was just a modem and the server on a lan i was kust able to point all the computer on the lan to the dns and mail and web to the ip address and was also able to get mail and see the website from the outside with just the port forwarding on the modem now i have the pfsense in the middle and i am not able to see the dns nor am i able to or get any mail from outside even after going through with the link you all are pointing to.

i did all that was said to be done with port forwarding and still nothing.

thanks

johnpoz

So whats not working, port forwarding?

https://www.netgate.com/docs/pfsense/nat/port-forward-troubleshooting.html

And again to your dns - if you are running a local dns that is authoritative for your domain(s) then your clients should just point there and not dns. You can setup domain override in pfsense be it unbound (resolver) or the older dns forwarder (dnsmasq) so clients asking pfsense would be able to resolve your local domain names, and even pfsense would be able to resolve them, etc.

Lets start with 1 issue at a time - what exactly is not working, and what have you done to troubleshoot it or attempt to correct the problem. If your having port forwarding problems we are going to need the details of your setup to try and figure out what is the issue. The troubleshooting steps for finding the issue are clearly listed in the above link.

kramtw

ok ive got the ipdresses as follows the gatew is 172.16.100.1 the modem is 172.16.1.22 the lan 172.17.100.1 the local dns, mail and web are on 172.17.1.23

this is how it is on the loc clients static ip 172.17.0.0 gw 172.17.100.1 dns 172.17.1.23 when i go to the web address from the loc i get the web page from the url of the web server and i am able to see the login page of the pfsense and i am able to get on the internet that works

however when i try to get to the internet from the 172.17.1.23 i am not able to see the login page from the pfsense nor am i able to get onto the internet from that computer.

will have to do the troubling shooting steps and see what i am not doing right as i am not able to see the web nor the vpn nor the mail server from the outside

johnpoz

Well for starters your on rfc1918 on your wan.. So did you forward the ports to pfsense WAN ip on the device in front of pfsense? Did you make pfsense wan IP the dmz host in said device?

Your using /16 masks? Why? Do you have some 65k devices on these networks?

So your saying your computer that your trying to forward to 172.17.1.23 can not get to the internet? Can it ping pfsense IP on your lan? Can pfsense ping this IP?

kramtw

Yes I disable the firewall and made the wan port of the phsense a dmz in the modem

I’ve got a lot of cams and light switches and devices on the network I could change the modem and the wan port IP address to something smaller but that was the IP address that I was using before I place the pfsense in the middle

Will ck to see if I could ping them

johnpoz

Yeah I have a lot of devices too.. 65,000 of them? Here is the thing a mask of /16 is fine for a firewall rule where you have downstream network, etc.. It's great when you want to summary route over a vpn, etc.

It makes zero sense to be a mask on an interface. Zero!! lets say you had 1000's wifi device.. Ok use a /22, hey go nuts use a /21.. All that a /16 says is the person running this router/firewall/network doesn't understand basic concepts..

Making the mask so large is only going to cause you grief, overlap when connecting to other networks!! Is the big one... Extra overhead in your dhcp pool from a memory standpoint, etc..

You also run into problem describing your problems - because people assume /24 and when they see you say that x.x.100 talks to x.x.1 without routing it seems odd.. If your going to be posting networks that are off the norm, ie outside of a /24 then you should clearly post your mask when you give your networks..

Maybe its just the thing that blows my skirt up, gives me a draft around my balls I don't like - whatever it is to be 100% honest.. When I see someone posting that they are using a /16 - first thing that comes to mind is ok.. Your dealing with someone that doesn't get it - use small words and post lots of pictures. Do you get my drift? ;)