DNS re-direction for internal & external clients across an isolated VLAN

memphis2k

Hello all,

I'm new to pfSense and really happy with its offerings coming from Sophos UTM (Astaro). I'm just needing some help understand DNS. My questions is: when I visit a my Apache web server on a local completely isolated VLAN, Firefox can't display the page because I would assume its resolve to 192.168.11.100. Do I research Split DNS / DNS Forwarder?

-I'm using OpenDNS - configured in the System / General Setup / DNS Server Settings
-Firewall Blocked LAN 1 going to VLAN 11
-Firewall Blocked VLAN 11 going to LAN 1
-PC's on main LAN 1 / 192.168.1.100
-Server on VLAN 11 / 192.168.11.100

So when PC visit Server, can't find page
When 4G LTE visit's Server, it works as expected.

Part two:
Need some help understanding and maybe a quick example of when to use DHCP hostnames, vs hostname overrides / Domain Overrides. I have a lot of servers, like homebridge, nextcloud, web server. Such as homebridge.my.house / firewall.my.house / cloud.my.house.

Please give advice if I'm doing something wrong.

Thanks.

johnpoz

@memphis2k said in DNS re-direction for internal & external clients across an isolated VLAN:

-Firewall Blocked LAN 1 going to VLAN 11

Well if your blocking going to vlan 11 where this server sits how would it get there even if resolved it to the local IP?

Resolving something.whatever.house - would be resolved to whatever dhcp, or dhcp reservation set it to be... Or if you created a host override for that to resolve to whatever.

You use host overrides when you want host.domain.tld to resolve to whatever IP you want it to resolve to..

You use domain overrides when you want host.domain.tld to be resolved by some other name server. So lets say you had some NS hosting dns for example.tld - you would use a domain override to tell unbound to use NS 192.168.1.100 (or whatever IP this NS was on) to resolve anything.example.tld.

If your lan clients are using pfsense for dns, then create a host override for web.domain.tld, whatever the name you want to resolve your apache server with.. To point to the vlan 11 IP of this server.

But your also going to have to allow the ports you want from lan to vlan11 to talk to this server.

memphis2k

@johnpoz

Thanks for the reply. I have everything working without the firewall rules, just trying to isolate as much as possible.

If I don’t want LAN access to my server, could I do an Host override with my WAN IP? So the process would go internal / external / internal for my PC visiting the server. Feasible?

sample.tld resolves to WAN IP regardless it’s local or external.

johnpoz

@memphis2k said in DNS re-direction for internal & external clients across an isolated VLAN:

sample.tld resolves to WAN IP regardless it’s local or external.

If sample.tld resolves to your wan IP.. You wouldn't be able to access it from a local machine unless you setup nat reflection

memphis2k

@johnpoz said in DNS re-direction for internal & external clients across an isolated VLAN:

@memphis2k said in DNS re-direction for internal & external clients across an isolated VLAN:

sample.tld resolves to WAN IP regardless it’s local or external.

If sample.tld resolves to your wan IP.. You wouldn't be able to access it from a local machine unless you setup nat reflection

I added my WAN IP to the host overrides, and I'm getting the Let's Encrypt cert provided by HAProxy. This works perfect, both for LAN & outside my network. This will all break if my WAN IP changes, but then I won't need rules to allow traffic to pass between the LAN and IoT VLAN 11 and vice versa.

Then for devices on the same subnet, use a hostname. I think I got it.

Thanks again for the clarification.

johnpoz

@memphis2k said in DNS re-direction for internal & external clients across an isolated VLAN:

This will all break if my WAN IP changes

And why is that? That is the whole point of ddns.

memphis2k

@johnpoz said in DNS re-direction for internal & external clients across an isolated VLAN:

@memphis2k said in DNS re-direction for internal & external clients across an isolated VLAN:

This will all break if my WAN IP changes

And why is that? That is the whole point of ddns.

I can do DDNS in the Host Overrides?? I am doing DDNS for my domain already and DDNS setup in pfSense. It would be nice if I could do "This Firewall", instread of the IP address. Remember I need to route my local DNS traffic for my domain to the firewall. So far, the Host Overrides are the only thing I found that works.