Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Split DNS only for single VLAN

    Scheduled Pinned Locked Moved DHCP and DNS
    8 Posts 2 Posters 864 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      trumee
      last edited by

      Hello,

      I have a LAN, DMZ and GUEST vlan. The DMZ hosts some nginx servers which are accessible from the Internet. There are some split DNS host overrides defined allow LAN users to easily access these DMZ services.

      I have a rule where the GUEST vlan is not allowed to talk with the DMZ vlan using the RFC1918 address. However, I do want the GUEST vlan users to access the services which have port forwarded and exposed to the Internet.

      I guess one solution could be to define split DNS only for LAN vlan. Is there any recommended way to solve this issue?

      Thanks

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        I you have services open to the internet, in your "dmz" Why would you want to block guest - is that not safer even then the internet?

        I am not understanding the use case here?

        You have services open to the public = "internet" Why would you block same said services from your lan or guest?

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        T 1 Reply Last reply Reply Quote 0
        • T
          trumee @johnpoz
          last edited by

          @johnpoz I dont have everything in DMZ exposed to the internet. I could collect all the exposed services in DMZ, and then create a rule allowing traffic on these from Guest. However, it is more work since i will need to update this list each time a new service is added in the DMZ vlan.

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by johnpoz

            So these are not hosted under your proxy?

            If these are on different IPs in the dmz, or different ports. Just don't open those from your guest?

            Could you give example of something say you have open, and then something you don't want open from guest?

            A typical configuration of "guest" wouldn't even be allowed to use your dns.. So would point to something like googledns.. So they wouldn't even be able to resolve anything you running locally.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • T
              trumee
              last edited by trumee

              @johnpoz said in Split DNS only for single VLAN:

              So would point to something like googledns.. So they wouldn't even be able to resolve anything you running locally

              This is interesting, and may be what i should use. So, guest devices will need to come-in via WAN side to access DMZ. I think this, is what i am looking for.

              I am using nginx proxy for most services. However, there are others like jabber which need their own ports.

              1 Reply Last reply Reply Quote 0
              • T
                trumee
                last edited by

                @trumee said in Split DNS only for single VLAN:

                So would point to something like googledns.. So they wouldn't even be able to resolve anything you running locally

                I tried this option. Unfortunately, the port 443 on which the nginx proxy listens is not reachable by the client.

                1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator
                  last edited by johnpoz

                  Huh.. Thoughts that what you want..

                  Please explain what you want..

                  Here is the thing.. Proxy listening on 443, serving up sites A, B, C - how are you going to block those at pfsense?

                  You could block resolving at the client via a view set on unbound. But they will all resolve to the same IP.. And go to the same port. So not possible with a firewall rule to say client in X vlan can go to site A, and B but not C..

                  You would have to block in the proxy.

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  T 1 Reply Last reply Reply Quote 0
                  • T
                    trumee @johnpoz
                    last edited by

                    @johnpoz Port 443 is forwarded to internal NGINX proxy setting in DMZ vlan. From GUEST vlan, i did a 'telnet wanip 443', and the port was not reachable.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.