Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DNS re-direction for internal & external clients across an isolated VLAN

    Scheduled Pinned Locked Moved DHCP and DNS
    7 Posts 2 Posters 510 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      memphis2k
      last edited by memphis2k

      Hello all,

      I'm new to pfSense and really happy with its offerings coming from Sophos UTM (Astaro). I'm just needing some help understand DNS. My questions is: when I visit a my Apache web server on a local completely isolated VLAN, Firefox can't display the page because I would assume its resolve to 192.168.11.100. Do I research Split DNS / DNS Forwarder?

      -I'm using OpenDNS - configured in the System / General Setup / DNS Server Settings
      -Firewall Blocked LAN 1 going to VLAN 11
      -Firewall Blocked VLAN 11 going to LAN 1
      -PC's on main LAN 1 / 192.168.1.100
      -Server on VLAN 11 / 192.168.11.100

      So when PC visit Server, can't find page
      When 4G LTE visit's Server, it works as expected.

      Part two:
      Need some help understanding and maybe a quick example of when to use DHCP hostnames, vs hostname overrides / Domain Overrides. I have a lot of servers, like homebridge, nextcloud, web server. Such as homebridge.my.house / firewall.my.house / cloud.my.house.

      Please give advice if I'm doing something wrong.

      Thanks.

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by johnpoz

        @memphis2k said in DNS re-direction for internal & external clients across an isolated VLAN:

        -Firewall Blocked LAN 1 going to VLAN 11

        Well if your blocking going to vlan 11 where this server sits how would it get there even if resolved it to the local IP?

        Resolving something.whatever.house - would be resolved to whatever dhcp, or dhcp reservation set it to be... Or if you created a host override for that to resolve to whatever.

        You use host overrides when you want host.domain.tld to resolve to whatever IP you want it to resolve to..

        You use domain overrides when you want host.domain.tld to be resolved by some other name server. So lets say you had some NS hosting dns for example.tld - you would use a domain override to tell unbound to use NS 192.168.1.100 (or whatever IP this NS was on) to resolve anything.example.tld.

        If your lan clients are using pfsense for dns, then create a host override for web.domain.tld, whatever the name you want to resolve your apache server with.. To point to the vlan 11 IP of this server.

        But your also going to have to allow the ports you want from lan to vlan11 to talk to this server.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        M 1 Reply Last reply Reply Quote 0
        • M
          memphis2k @johnpoz
          last edited by

          @johnpoz

          Thanks for the reply. I have everything working without the firewall rules, just trying to isolate as much as possible.

          If I don’t want LAN access to my server, could I do an Host override with my WAN IP? So the process would go internal / external / internal for my PC visiting the server. Feasible?

          sample.tld resolves to WAN IP regardless it’s local or external.

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            @memphis2k said in DNS re-direction for internal & external clients across an isolated VLAN:

            sample.tld resolves to WAN IP regardless it’s local or external.

            If sample.tld resolves to your wan IP.. You wouldn't be able to access it from a local machine unless you setup nat reflection

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            M 1 Reply Last reply Reply Quote 0
            • M
              memphis2k @johnpoz
              last edited by

              @johnpoz said in DNS re-direction for internal & external clients across an isolated VLAN:

              @memphis2k said in DNS re-direction for internal & external clients across an isolated VLAN:

              sample.tld resolves to WAN IP regardless it’s local or external.

              If sample.tld resolves to your wan IP.. You wouldn't be able to access it from a local machine unless you setup nat reflection

              I added my WAN IP to the host overrides, and I'm getting the Let's Encrypt cert provided by HAProxy. This works perfect, both for LAN & outside my network. This will all break if my WAN IP changes, but then I won't need rules to allow traffic to pass between the LAN and IoT VLAN 11 and vice versa.

              Then for devices on the same subnet, use a hostname. I think I got it.

              Thanks again for the clarification.

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                @memphis2k said in DNS re-direction for internal & external clients across an isolated VLAN:

                This will all break if my WAN IP changes

                And why is that? That is the whole point of ddns.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                M 1 Reply Last reply Reply Quote 0
                • M
                  memphis2k @johnpoz
                  last edited by

                  @johnpoz said in DNS re-direction for internal & external clients across an isolated VLAN:

                  @memphis2k said in DNS re-direction for internal & external clients across an isolated VLAN:

                  This will all break if my WAN IP changes

                  And why is that? That is the whole point of ddns.

                  Host_Overrides.png

                  I can do DDNS in the Host Overrides?? I am doing DDNS for my domain already and DDNS setup in pfSense. It would be nice if I could do "This Firewall", instread of the IP address. Remember I need to route my local DNS traffic for my domain to the firewall. So far, the Host Overrides are the only thing I found that works.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.