Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Domain override => host override over VPN

    Scheduled Pinned Locked Moved DHCP and DNS
    3 Posts 3 Posters 128 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      McMurphy
      last edited by

      I have two pfSense connected via VPN, main & remote.

      Both sites use DNS resolver

      The main site has a series of host overrides that resolve correctly at the main site network

      1. server1.domainA => 192.168.1.20
      2. server2.domainA => 192.168.1.21
      3. server3.domainA => 192.168.1.22

      At the remote site I wish to also be able to resolve these hosts so I believe my options are:

      1. Recreate all host overrides at the remote site (tested and works)
      2. Use a domain override for domainA on the remote site's pfSense and point it to the main site's pfSense (not working)

      I'd prefer (2) as the list of host overrides will grow over time and I'd prefer not to update multiple locations.

      Should (2) above work or is not the way to do this?

      keyserK johnpozJ 2 Replies Last reply Reply Quote 0
      • keyserK
        keyser Rebel Alliance @McMurphy
        last edited by keyser

        @McMurphy It can be brought to work (I’m currently using exactly that setup), but it requires some “non logical” configuration on your boxes.

        Basically the issue is that when one pfSense tries to connect to the other over VPN, it sources the traffic from an interface which causes the traffic to bypass being routet to the remote site (typically goes out of WAN - default route instead)
        So depending on which interface IP you are trying to reach remotely (I assume LAN), you need to create a gateway on each box using it’s own LAN interface as the gateway IP, and then create a route to the remote LAN subnet using that Gateway. That will cause the local pfsense to source the traffic from its own LAN interface, and thus comply with the routing or VPN policy rules for sending traffic down the tunnel.

        Love the no fuss of using the official appliances :-)

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator @McMurphy
          last edited by johnpoz

          @McMurphy keep in mind whenever you forward, ie your domain override is a forward, if the answer is rfc1918 it would be a rebind. So where your creating the domain override you would also need to set the domain as private.

          https://docs.netgate.com/pfsense/en/latest/services/dns/rebinding.html#dns-rebinding-protections

          You also need to make sure where your sending the query that the ACL on unbound allows for the query. I would do a directed query to the unbound on the far side of the vpn and make sure you actually get an answer, this would not take into account any rebind, but would validate your firewall rules and unbound acls allow for the query.

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          1 Reply Last reply Reply Quote 1
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.