Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    1 server inside LAN

    Scheduled Pinned Locked Moved
    DHCP and DNS
    3
    4
    2.3k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      Lou57
      last edited by

      We have a Windows 2003 domain called corporate.local. We use the Windows DNS server for accessing both internal and external DNS, forwarding all non corporate.local queries to the forwarders in the MS DNS setup. pfSense passes DNS, but doesn't provide DNS to anyone.

      We now have an additional webserver on the LAN called rs. The rs=report server. It is available from the outside at rs.AnotherDomain.com. There is a www server located outside the LAN. All mail is handled outside the LAN by gmail.

      The pfSense rules are setup and everything work well for outside access to get to rs. Inside is another story. I told people to go to rs directly. It resolves properly but the SSL cert fails and the reporting app often requires a full URL in the programming, which means two reports; one for inside users, one for outside users.

      Trying to access rs.AnotherDomain.com gives me grief through pfSense: "Potential DNS Rebind attack detected, see http://en.wikipedia.org/wiki/DNS_rebinding
      Try accessing the router by IP address instead of by hostname." Using the internal IP address vs external address is the same as using the internal name vs the external name - multiple reports, bad SSL cert.

      Is it better to setup a Forward Lookup Zone for AnotherDomain.com in the MS DNS where everything is identical to the outside DNS with the exception of the single webserver? I can do this, but prefer not to because I don't want to take responsibility for any changes that may take place to their zone file that they wouldn't inform me of. Some of which may happen without the owner's knowledge (mail).

      Or do I reroute the traffic for rs.anotherdomain.com at the firewall and pass all other traffic onto the proper locations. If so, how?

      Sure I am not the first person to do this. All guidance is appreciated.

      Lou

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        If you want to access rs.anotherdomain.com via its public IP that gets forwarded to internal IP then you need to enable nat reflection.  That should allow what you want without having to do anything with rs.anotherdomain.com

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

        1 Reply Last reply Reply Quote 0
        • C
          craigduff
          last edited by

          agreed…

          Kind Regards,
          Craig

          1 Reply Last reply Reply Quote 0
          • L
            Lou57
            last edited by

            Worked like a charm. Thanks johnpoz, and pardon the late appreciation.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.