Problem with pfSense – Need help please



  • Okay…  Here is my setup (if you can understand it):

    I'm running the HOST under ESXi.

    
    Internet -> ESXi (pfSense)
        192.168.1.1 - Desktop
        192.168.2.2 - Zimbra Mail  (mail.mydomain.com)
    
    

    My connections and everything are working fine.  Zimbra is working fine.  I have full access to the internet on all machines on the network.

    However, here is my issue:  Whenever I try to connect to my Zimbra webmail from within the network (ie. Desktop/iPhone/anything) I get a rebind attack error message:

    Potential DNS Rebind attack detected, see http://en.wikipedia.org/wiki/DNS_rebinding
    Try accessing the router by IP address instead of by hostname. 
    

    If I make an entry into my HOSTS file on my destop to point to 192.168.2.2 for mail.mydomain.com then everything works fine.  While I can do this for my desktop, I cannot do this for my iPhone because I might not always be inside the network with my iphone.

    Is there a way that I can stop this error from happening?



  • Does mail.mydomain.com resolves to a public ip address?

    If so, you may need to have a internal dns server to answer 192.168.2.2 - mail.mydomain.com when you are locally.



  • Yes, mail.mydomain.com resolves to a public IP address.

    I have a DNS server in my network already (on the Zimbra box).  Is there a way that I can add an extra DNS server to my browser/mail client/iphone?  Meaning, right now I have 192.168.1.1 (which is my pfSense router).  Maybe I can just add 192.168.2.2 (my Zimbra box) as a secondary or third DNS server.  Will that work?



  • Or, is there a way that I can add that to pfSense somewhere?  Anything from within the network contacting mail.mydomain.com will automatically be redirected by pfSense?


  • Rebel Alliance Global Moderator

    yeah you can just add a record on pfsense to resolve mail.mydomain.com to your internal address 192.168.2.2

    So when your phone is on your wifi network, it would use your wifi network dns to resolve mail.mydomain.com to your private 192.168.2.2, and while its outside your network it would resolve the public IP address for that and access it that way.

    So your saying your internal dns on your Zimbra box resolves to the public IP for mail. ?

    So where does your phone and desktop get dns from currently, zimbra box or pfsense?



  • Sorry, the whole network gets the DNS from 192.168.1.1 (pfSense).

    However on the Zimbra box my DNS is setup to itself.  I installed BIND on the Zimbra box to setup all the records that it needed.  I would just leave that alone because that box is working perfectly.  But for the others, where would I add the record into pfSense to have it resolve mail.mydomain.com to the internal IP of 192.168.2.2?


  • Netgate Administrator

    If you're using the pfSense DNS forwarder then you need to enable NAT reflection or set a DNS override.

    See: http://doc.pfsense.org/index.php/Why_can't_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks%3F

    Steve



  • Thank you for the link.  I enabled the split DNS and it is working beautifully.


Locked