DNS Forwarding over IPSEC OR OpenVPN tunnel
-
Based on what I have read in the recently published pfSense book it would appear that you can get what you want by these changes in the webGUI System -> General Setup DNS Servers:
-
For the two DNS servers specify one of your ISP's DNS servers or one of the OpenDNS servers or … (one DNS server that you are currently using) AND the other pfSense box
-
Uncheck the box Allow DNS server list to be overridden by DHCP/PPP on WAN
The book says the DNS forwarder sends lookup requests to both servers and uses whatever answer comes back first.
-
-
If I do this, I'll only have two DNS server entries on: System -> General Setup DNS Servers
These will be 192.168.100.1 and 192.168.200.1. This will not allow me to get outside of the VPN network. I tried to manually edit /etc/resolv.conf to add three nameservers, but after rebooting, resolv.conf reverts to what's applied via the web gui.Is there no other way?
-
Then again…
If 192.168.100.1 on East (192.168.100.0/24 subnet) wasn't needed to begin with to ping computers by hostname from East to East, then I wouldn't need to even put 192.168.100.1 as a DNS server on East. Hmmm...interesting -
If I do this, I'll only have two DNS server entries on: System -> General Setup DNS Servers
These will be 192.168.100.1 and 192.168.200.1. This will not allow me to get outside of the VPN network. I tried to manually edit /etc/resolv.conf to add three nameservers, but after rebooting, resolv.conf reverts to what's applied via the web gui.Is there no other way?
I didn't think that was what I suggested so I will try to put it another way.
On the east coast pfSense configure the two DNS servers as your external DNS AND the west coast pfSense.
On the west coast pfSense configure the two DNS servers as your external DNS AND the east coast pfSense.
-
I didn't think that was what I suggested so I will try to put it another way.
On the east coast pfSense configure the two DNS servers as your external DNS AND the west coast pfSense.
On the west coast pfSense configure the two DNS servers as your external DNS AND the east coast pfSense.
Yep. I realized that shortly before I replied a second time.
I'll give that a try next.Thank you! Here's hoping it works…
-
C:\Documents and Settings\TC10284>tracert cashback.32inc.local
Tracing route to cashback.32inc.local [192.168.200.252]
over a maximum of 30 hops:1 <1 ms <1 ms <1 ms pfsense-east.32inc.local [192.168.100.1]
2 1 ms <1 ms <1 ms 192.168.50.2
3 1 ms 2 ms 1 ms cashback.32inc.local [192.168.200.252]Trace complete.
I did what you said. After hours of troubleshooting and problems, I think I finally got it. I do have to use the domain suffixes to get pings/tracerts to work, but I guess I can't be too picky.
Sweet.
So far, so good. Now if I can get the roadwarrior part of OpenVPN working as needed…I also ran into an issue of not having the address pool setup correctly on the client side of the site-to-site (which is where the hours of troubleshooting/problems came into play). Fixed that and things seemed to start making more sense.
-
OK - so now I have a roadwarrior VPN setup in OpenVPN. It is working great with one client.
My only issue and question is:
How can I get the roadwarrior client to be able to ping a computer on the west side when connected to the east side? Nslookup resolves the IP of the system on westside fine, but when I do a ping it times out. When I tracert, it routes all the way out to the Internet. My pfSense DNS servers are 8.8.8.8 and 192.168.200.1 in the pfsense General Setup. However, the VPN client is using 192.168.60.1 or 192.168.100.1 (cannot recall) as the DNS server. I've tried pushing the DNS servers to the vpn client via the VPN server config page but that does not help. I've tried adding another network (push route) on the VPN server config page and that does not help.Is there any way I can get this working? So far things are working satisfactorily other than this.
One more question: for the OpenVPN client setup, can I configure OpenVPN to work with more than one VPN server (not simultaneously of course). Just have it setup to where it can either connect to east or west side VPN routers, depending upon the roadwarrior's location in the US.
-
Can TinyDNS help me out any?
Perhaps setup some form of replication between the two sites so that they will have the same records for DHCP clients?
Also, I cannot ping any hosts on 192.168.200.0/24 from a VPN client connected to East on 192.168.100.0/24
-
Can TinyDNS help me out any?
Depends if the problem is a DNS problem or a routing problem!
Perhaps setup some form of replication between the two sites so that they will have the same records for DHCP clients?
Depends if the problem is a DNS problem or a routing problem!
Also, I cannot ping any hosts on 192.168.200.0/24 from a VPN client connected to East on 192.168.100.0/24
How will the VPN client know how to get to 192.168.200.0/24? Do all the intermediate systems know how to get to 192.168.200.0/24? Do all the intermediate systems on the return path know how to get back to the client?
-
Well I did push a route to 192.168.200.0/24 using the OpenVPN options but that didn't seem to fix things.
Before I changed the first DNS server under General Settings to 192.168.200.1 and the secondary DNS server to 8.8.8.8, the client would tracert out to the Internet.
Now the client just times out.I've tried adding firewall rules to both the WAN and LAN side to allow anything from 192.168.60.0/24 to come in and go out of the router, but that did not seem to help. Maybe I did the rules wrong.
-
I don't have any experience with OpenVPN.
Here's how I would attempt to resolve your problem.
-
draw a network map showing all the links including VPNs.
-
On the client, do a traceroute to the target system.
-
Check that the last system shown on the traceroute has routes that will help forward packets in both directions between client and target. Add necessary routes and repeat from 2). If the necessary routes exist check the next system responds to ICMP packets.
Here's a simple example from my home network showing where a route needed to be added.
adsl MODEM/Router <–--> pfSense <----> LAN
|<--------> ServerThe three links in the diagram above are ethernet. The Server is on pfSense OPT1 interface. The adsl modem/router is configured to port forward to the server incoming (from internet) TCP connections to port zz. The server is on a different subnet to the pfSense WAN interface and has a private IP so the adsl modem/router needs a route to tell it how to get to the server. Return traffic doesn't need a specific route on the server because the server's default route is to pfSense and pfSense knows how to get to the adsl MODEM/router because the adsl MODEM/router is on the same subnet as the pfSense WAN interface.
I think the VPN links are usually point to point links so the routing will be a little different (the whole subnet may not be visisble from an end point).
-
-
I think what you're looking for is a static route. Something like:
interface: lan
network: your-remote-net/netmask
gateway: your-lan-ip