DNS Forwarding over IPSEC OR OpenVPN tunnel



  • Hey all,

    I have a new IPSEC VPN tunnel working on my test network. I can ping, RDP, and access UNC (\computer) shares using the IP address of hosts on the other end of the VPN. I want to be able to ping the PCs on the other end of the VPN using hostnames. One router will be on the East coast, the other on the West coast.
    Here is my setup:
    East Router:
    Subnet: 192.168.100.0/24
    IP: 192.168.100.1
    Only host: 192.168.100.254

    West Router:
    Subnet: 192.168.200.0/24
    IP: 192.168.200.1
    Only host: 192.168.200.253

    Domain on BOTH routers: test.local
    Both routers are connected to my primary network of subnet 192.168.1.0/24 (non-PfSense router).

    What do I need to do to allow me to ping by DNS hostname over the IPSec tunnel to the other side?
    What if I setup a local LAN DNS server on either/both sides instead of using the router DNS server?

    Thanks!

    UPDATE: Now I have OpenVPN working between the two routers without the IPSEC tunnel. I have the DNS server options set properly but I still can't ping netbios/DNS computer names on the other router endpoint. If I statically set the DNS server IP on one side to the DNS on the otherside, I can ping just fine.



  • @TC10284:

    What do I need to do to allow me to ping by DNS hostname over the IPSec tunnel to the other side?
    What if I setup a local LAN DNS server on either/both sides instead of using the router DNS server?

    Thanks!

    UPDATE: Now I have OpenVPN working between the two routers without the IPSEC tunnel. I have the DNS server options set properly but I still can't ping netbios/DNS computer names on the other router endpoint. If I statically set the DNS server IP on one side to the DNS on the otherside, I can ping just fine.

    Maybe you just need to add some hostname entries in the two pfSense DNS servers. (Web GUI: Services -> DNS  and add name to address mappings below You may enter records that override the results from the forwarders below. ) I think this will be easier than setting up your own DNS server but maybe I've missed some important aspect of your requirements.

    Your UPDATE doesn't specify how you setup the DNS server options. I presume your problem is that the DNS servers don't have a name to address mapping for the system on the other end of the VPN.



  • @wallabybob:

    Maybe you just need to add some hostname entries in the two pfSense DNS servers. (Web GUI: Services -> DNS  and add name to address mappings below You may enter records that override the results from the forwarders below. ) I think this will be easier than setting up your own DNS server but maybe I've missed some important aspect of your requirements.

    Your UPDATE doesn't specify how you setup the DNS server options. I presume your problem is that the DNS servers don't have a name to address mapping for the system on the other end of the VPN.

    I'd prefer not to do static hostname to IP entries on the pfSense DNS servers. The routers will eventually be setup on both coasts that will service multiple clients. Actually setting up a DNS server in Win Server 2000, 2003, and 2008 is quite easy, but I am trying to keep the needed equipment to a minimum to begin with.

    As for the UPDATE, the DNS server options in pfSense are at their default values.

    Last night I did an NSlookup on each computer of west and east. I could switch servers: server 192.168.200.1 from the east computer and resolve the west computer hostname just fine. I understand why I can't resolve hostnames on the other side, because the east DNS server doesn't have entries for the hostnames on the west router. I just don't understand how to get one router to forward the query to the DNS server on the other side.

    I've done a Windows Server VPN behind a router/firewall. I specified an option in the config to use Netbios over TCP (IIRC) and also configured it to hand out DNS server IPs to connected clients and that solved my problem. I guess I'm looking to do similar here, but with pfSense and using site-to-site with either IPSEC or OpenVPN.



  • Based on what I have read in the recently published pfSense book it would appear that you can get what you want by these changes in the webGUI System -> General Setup DNS Servers:

    • For the two DNS servers specify one of your ISP's DNS servers or one of the OpenDNS servers or … (one DNS server that you are currently using) AND the other pfSense box

    • Uncheck the box Allow DNS server list to be overridden by DHCP/PPP on WAN

    The book says the DNS forwarder sends lookup requests to both servers and uses whatever answer comes back first.



  • If I do this, I'll only have two DNS server entries on: System -> General Setup DNS Servers
    These will be 192.168.100.1 and 192.168.200.1. This will not allow me to get outside of the VPN network. I tried to manually edit /etc/resolv.conf to add three nameservers, but after rebooting, resolv.conf reverts to what's applied via the web gui.

    Is there no other way?



  • Then again…
    If 192.168.100.1 on East (192.168.100.0/24 subnet) wasn't needed to begin with to ping computers by hostname from East to East, then I wouldn't need to even put 192.168.100.1 as a DNS server on East. Hmmm...interesting



  • @TC10284:

    If I do this, I'll only have two DNS server entries on: System -> General Setup DNS Servers
    These will be 192.168.100.1 and 192.168.200.1. This will not allow me to get outside of the VPN network. I tried to manually edit /etc/resolv.conf to add three nameservers, but after rebooting, resolv.conf reverts to what's applied via the web gui.

    Is there no other way?

    I didn't think that was what I suggested so I will try to put it another way.

    On the east coast pfSense configure the two DNS servers as your external DNS AND the west coast pfSense.

    On the west coast pfSense configure the two DNS servers as your external DNS AND the east coast pfSense.



  • @wallabybob:

    I didn't think that was what I suggested so I will try to put it another way.

    On the east coast pfSense configure the two DNS servers as your external DNS AND the west coast pfSense.

    On the west coast pfSense configure the two DNS servers as your external DNS AND the east coast pfSense.

    Yep. I realized that shortly before I replied a second time.
    I'll give that a try next.

    Thank you! Here's hoping it works…



  • C:\Documents and Settings\TC10284>tracert cashback.32inc.local

    Tracing route to cashback.32inc.local [192.168.200.252]
    over a maximum of 30 hops:

    1    <1 ms    <1 ms    <1 ms  pfsense-east.32inc.local [192.168.100.1]
      2    1 ms    <1 ms    <1 ms  192.168.50.2
      3    1 ms    2 ms    1 ms  cashback.32inc.local [192.168.200.252]

    Trace complete.

    I did what you said. After hours of troubleshooting and problems, I think I finally got it. I do have to use the domain suffixes to get pings/tracerts to work, but I guess I can't be too picky.

    Sweet.
    So far, so good. Now if I can get the roadwarrior part of OpenVPN working as needed…

    I also ran into an issue of not having the address pool setup correctly on the client side of the site-to-site (which is where the hours of troubleshooting/problems came into play). Fixed that and things seemed to start making more sense.



  • OK - so now I have a roadwarrior VPN setup in OpenVPN. It is working great with one client.

    My only issue and question is:
    How can I get the roadwarrior client to be able to ping a computer on the west side when connected to the east side? Nslookup resolves the IP of the system on westside fine, but when I do a ping it times out. When I tracert, it routes all the way out to the Internet. My pfSense DNS servers are 8.8.8.8 and 192.168.200.1 in the pfsense General Setup. However, the VPN client is using 192.168.60.1 or 192.168.100.1 (cannot recall) as the DNS server. I've tried pushing the DNS servers to the vpn client via the VPN server config page but that does not help. I've tried adding another network (push route) on the VPN server config page and that does not help.

    Is there any way I can get this working? So far things are working satisfactorily other than this.

    One more question: for the OpenVPN client setup, can I configure OpenVPN to work with more than one VPN server (not simultaneously of course). Just have it setup to where it can either connect to east or west side VPN routers, depending upon the roadwarrior's location in the US.



  • Can TinyDNS help me out any?

    Perhaps setup some form of replication between the two sites so that they will have the same records for DHCP clients?

    Also, I cannot ping any hosts on 192.168.200.0/24 from a VPN client connected to East on 192.168.100.0/24



  • @TC10284:

    Can TinyDNS help me out any?

    Depends if the problem is a DNS problem or a routing problem!

    Perhaps setup some form of replication between the two sites so that they will have the same records for DHCP clients?

    Depends if the problem is a DNS problem or a routing problem!

    Also, I cannot ping any hosts on 192.168.200.0/24 from a VPN client connected to East on 192.168.100.0/24

    How will the VPN client know how to get to 192.168.200.0/24? Do all the intermediate systems know how to get to 192.168.200.0/24? Do all the intermediate systems on the return path know how to get back to the client?



  • Well I did push a route to 192.168.200.0/24 using the OpenVPN options but that didn't seem to fix things.

    Before I changed the first DNS server under General Settings to 192.168.200.1 and the secondary DNS server to 8.8.8.8, the client would tracert out to the Internet.
    Now the client just times out.

    I've tried adding firewall rules to both the WAN and LAN side to allow anything from 192.168.60.0/24 to come in and go out of the router, but that did not seem to help. Maybe I did the rules wrong.



  • I don't have any experience with OpenVPN.

    Here's how I would attempt to resolve your problem.

    1. draw a network map showing all the links including VPNs.

    2. On the client, do a traceroute to the target system.

    3. Check that the last system shown on the traceroute has routes that will help forward packets in both directions between client and target. Add necessary routes and repeat from 2). If the necessary routes exist check the next system responds to ICMP packets.

    Here's a simple example from my home network showing where a route needed to be added.

    adsl MODEM/Router <–--> pfSense <----> LAN
                                |<--------> Server

    The three links in the diagram above are ethernet. The Server is on pfSense OPT1 interface. The adsl modem/router is configured to port forward to the server  incoming (from internet) TCP connections to port zz. The server is on a different subnet to the pfSense WAN interface and has a private IP so the adsl modem/router needs a route to tell it how to get to the server. Return traffic doesn't need a specific route on the server because the server's default route is to pfSense and pfSense knows how to get to the adsl MODEM/router because the adsl MODEM/router is on the same subnet as the pfSense WAN interface.

    I think the VPN links are usually point to point links so the routing will be a little different (the whole subnet may not be visisble from an end point).



  • I think what you're looking for is a static route.  Something like:

    interface:  lan
    network:  your-remote-net/netmask
    gateway:  your-lan-ip


Locked