Managing communication among multiple internal servers
-
In our DMZ, we have a handful of servers, serving mail, web, and DNS. We'll get back to that last further down.
Have our Netgate up and stumbling. External and internal access to web, mail is good. One thing that isn't good is that mail sent from one of the internal servers to another or from the LAN (using the public-facing WAN name) goes nowhere. Inside to outside is fine. Outside to inside is fine. But mail (or traceroute, or ssh, etc) from one internal server to another just hang. We have pure NAT reflection enabled on the server WAN address NATs on a per-NAT basis.
It looks like the way to fix this is to use host overrides in DNS Resolver. I am attempting this with one of the server public names, and thus far, only the diags from the firewall pick it up. I am guessing this is because I have provided the querying server with 8.8.8.8 as its DNS server, and need to remove that? If so, for a Linux host, what should it be set to? The DMZ gateway? Nothing? Similar question for the LAN clients...many are DHCP clients, but not all.
And the last piece of this: two of these servers are also serving DNS for internal servers to the outside world. The pfSense docs suggest that is going to be a probem. I can (I think) change the port those listen on, and jigger the inbound NATs to take traffic aimed at 53 and shunt it to this alternate port, so internal requests don't conflict.
If I am going at this the hard way, please enlighten me. On the Gnatbox we're coming off of, it was simply a matter of providing "static mapping" entries for these servers. I can see where the pfSense approach is much more robust, flexible. But is new territory for me.
Thanks in advance.
--Richard