Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Forward "domain.com" requests from Public interface to external DNS

    Scheduled Pinned Locked Moved DHCP and DNS
    10 Posts 3 Posters 871 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      nunnt
      last edited by

      We have a LAN and a PUBLIC network interfaces setup in pfsense. The LAN network is our corporate network, and a public network on a VLAN for wireless guest traffic. pfsense takes care of DHCP for our LAN. We have DNS resolver enabled and a host override set to direct our "domain.com" to our internal domain controller. We have this set for all our interfaces since we are using pfblocker. We just need to point "domain.com" requests coming from our public interface to our external facing IP (website) for "domain.com" requests. What's the best way to accomplish this?

      1 Reply Last reply Reply Quote 0
      • N
        nunnt
        last edited by

        Correction. pfsense takes care of DHCP for our Public network.

        1 Reply Last reply Reply Quote 0
        • KOMK
          KOM
          last edited by KOM

          @nunnt said in Forward "domain.com" requests from Public interface to external DNS:

          We just need to point "domain.com" requests coming from our public interface to our external facing IP (website) for "domain.com" requests. What's the best way to accomplish this?

          I had to edit my answer because my tiny brain got confused by PUBLIC to mean WAN...

          What is your PUBLIC network using for DNS? That's where you make the change to point your FQDN to your LAN IP address.

          1 Reply Last reply Reply Quote 0
          • N
            nunnt
            last edited by

            Just to clarify in case I wasn't clear:

            • LAN user goes to "domain.com", it looks to the domain override from the DNS resolver that points internally
              PUB user goes to "domain.com", it should look to our external IP for the website

            Unfortunately our internal and external domain is named "domain.com".

            1 Reply Last reply Reply Quote 0
            • KOMK
              KOM
              last edited by

              That doesn't make sense. Why would you want your PUBLIC users to go out and then back in WAN to get to a LAN server?? Put the same override on PUBLIC's DNS and then craft your firewall rules to allow PUBLIC to access that one specific server on LAN.

              Also, this is a lesson in not using a public domain for LAN or AD; you should use a subdomain instead like lan.yourdomain.com.

              1 Reply Last reply Reply Quote 0
              • N
                nunnt
                last edited by

                You are so right, lesson learned for sure.
                We currently have a split DNS configured so that LAN users have a host override for "domain.com" that points to our internal DC to resolve DNS requests first. "http://domain.com" and "https://domain.com" resolves externally from the DC DNS for LAN users. We don't allow LAN access to public connections so they can't take advantage of the split DNS to resolve. We want public connections to be able to resolve "http://domain.com" and "https://domain.com" to point externally. Public connections going to "www.domain.com" have no issues resolving externally. It's when the browser doesn't auto fill in the "www" that we are having the issue.

                1 Reply Last reply Reply Quote 0
                • KOMK
                  KOM
                  last edited by KOM

                  OK, that's actually called a domain override, not a host override. Host overrides translate a FQDN to a custom IP address. Domain overrides point you to another DNS that handles resolution for that domain.

                  What is PUBLIC using for DNS? pfSense's resolver? If so, I'm not aware of any method to dynamically resolve based on source network. BIND may have something like that with its Views feature but not resolver.

                  You could try turning on NAT Reflection, but it's all or nothing. You can't just limit it to PUBLIC.

                  https://docs.netgate.com/pfsense/en/latest/nat/accessing-port-forwards-from-local-networks.html

                  At the end of the day, you might be forced to allow PUBLIC acess to DNS only from your AD server on LAN, and web access from PUBLIC to the web server on LAN.

                  1 Reply Last reply Reply Quote 0
                  • C
                    conor
                    last edited by

                    Am i right in saying you just want the guest wifi network to go to the external IP for say your website?

                    In that case under DHCP Server for the guest wifi set the DNS entry for the DHCP to say the OpenDNS values. That way the guests aren't quering your DNS at all.

                    200+ pfSense installs - best firewall ever.

                    1 Reply Last reply Reply Quote 0
                    • N
                      nunnt
                      last edited by

                      Thanks for the thought Conor. The issue is we want to use pfsense to resolve DNS in order to use pfblocker for content filtering. I'm having hard time understanding how to accomplish this while resolving our "domain.com" requests externally.

                      1 Reply Last reply Reply Quote 0
                      • C
                        conor
                        last edited by

                        This is a mad idea but how about using DNS Forwarder and DNS Resolver, one for each subnet, make sure they are both running on different port numbers and set up a port forward on the guest wifi interface from port 53 to the correct port. Haven't tested it, but my understanding is DNS forwarder is DNSMASQ and Resolver is Bind. Might be worth a try. You'll need to have strict interface bindings though.

                        5c1641bb-42b3-4c9c-8b59-8b48ca7d2fd1-image.png

                        200+ pfSense installs - best firewall ever.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.