Problem with pfSense – Need help please

jim.thornton

Okay…  Here is my setup (if you can understand it):

I'm running the HOST under ESXi.

Internet -> ESXi (pfSense)
    192.168.1.1 - Desktop
    192.168.2.2 - Zimbra Mail  (mail.mydomain.com)

My connections and everything are working fine.  Zimbra is working fine.  I have full access to the internet on all machines on the network.

However, here is my issue:  Whenever I try to connect to my Zimbra webmail from within the network (ie. Desktop/iPhone/anything) I get a rebind attack error message:

Potential DNS Rebind attack detected, see http://en.wikipedia.org/wiki/DNS_rebinding
Try accessing the router by IP address instead of by hostname. 

If I make an entry into my HOSTS file on my destop to point to 192.168.2.2 for mail.mydomain.com then everything works fine.  While I can do this for my desktop, I cannot do this for my iPhone because I might not always be inside the network with my iphone.

Is there a way that I can stop this error from happening?

marcelloc

Does mail.mydomain.com resolves to a public ip address?

If so, you may need to have a internal dns server to answer 192.168.2.2 - mail.mydomain.com when you are locally.

jim.thornton

Yes, mail.mydomain.com resolves to a public IP address.

I have a DNS server in my network already (on the Zimbra box).  Is there a way that I can add an extra DNS server to my browser/mail client/iphone?  Meaning, right now I have 192.168.1.1 (which is my pfSense router).  Maybe I can just add 192.168.2.2 (my Zimbra box) as a secondary or third DNS server.  Will that work?

jim.thornton

Or, is there a way that I can add that to pfSense somewhere?  Anything from within the network contacting mail.mydomain.com will automatically be redirected by pfSense?

johnpoz

yeah you can just add a record on pfsense to resolve mail.mydomain.com to your internal address 192.168.2.2

So when your phone is on your wifi network, it would use your wifi network dns to resolve mail.mydomain.com to your private 192.168.2.2, and while its outside your network it would resolve the public IP address for that and access it that way.

So your saying your internal dns on your Zimbra box resolves to the public IP for mail. ?

So where does your phone and desktop get dns from currently, zimbra box or pfsense?

jim.thornton

Sorry, the whole network gets the DNS from 192.168.1.1 (pfSense).

However on the Zimbra box my DNS is setup to itself.  I installed BIND on the Zimbra box to setup all the records that it needed.  I would just leave that alone because that box is working perfectly.  But for the others, where would I add the record into pfSense to have it resolve mail.mydomain.com to the internal IP of 192.168.2.2?

stephenw10

If you're using the pfSense DNS forwarder then you need to enable NAT reflection or set a DNS override.

See: http://doc.pfsense.org/index.php/Why_can%27t_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks%3F

Steve

jim.thornton

Thank you for the link.  I enabled the split DNS and it is working beautifully.