1 server inside LAN

  • We have a Windows 2003 domain called corporate.local. We use the Windows DNS server for accessing both internal and external DNS, forwarding all non corporate.local queries to the forwarders in the MS DNS setup. pfSense passes DNS, but doesn't provide DNS to anyone.

    We now have an additional webserver on the LAN called rs. The rs=report server. It is available from the outside at rs.AnotherDomain.com. There is a www server located outside the LAN. All mail is handled outside the LAN by gmail.

    The pfSense rules are setup and everything work well for outside access to get to rs. Inside is another story. I told people to go to rs directly. It resolves properly but the SSL cert fails and the reporting app often requires a full URL in the programming, which means two reports; one for inside users, one for outside users.

    Trying to access rs.AnotherDomain.com gives me grief through pfSense: "Potential DNS Rebind attack detected, see http://en.wikipedia.org/wiki/DNS_rebinding
    Try accessing the router by IP address instead of by hostname." Using the internal IP address vs external address is the same as using the internal name vs the external name - multiple reports, bad SSL cert.

    Is it better to setup a Forward Lookup Zone for AnotherDomain.com in the MS DNS where everything is identical to the outside DNS with the exception of the single webserver? I can do this, but prefer not to because I don't want to take responsibility for any changes that may take place to their zone file that they wouldn't inform me of. Some of which may happen without the owner's knowledge (mail).

    Or do I reroute the traffic for rs.anotherdomain.com at the firewall and pass all other traffic onto the proper locations. If so, how?

    Sure I am not the first person to do this. All guidance is appreciated.


  • LAYER 8 Global Moderator

    If you want to access rs.anotherdomain.com via its public IP that gets forwarded to internal IP then you need to enable nat reflection.  That should allow what you want without having to do anything with rs.anotherdomain.com

  • agreed…

  • Worked like a charm. Thanks johnpoz, and pardon the late appreciation.

Log in to reply