Is Split DNS necessary for internal LAN to get to FQDN of internal server?
-
I hope that question makes sense.
I've got a multi WAN and multi LAN setup. For simplicities sake let's just say that one of the LANs is a server LAN and one is a USER LAN. Within the server LAN there are machines who use 1:1 NAT and firewall rules to server public services (e.g. W3, SMTP, IMAP, etc).
To the outside world they type www.domain.com and all works fine. But people on the USER LAN get redirected to the HTTPS login screen of the pfsense. A DNS lookup from the client shows the proper publicly accessible IP address.
I'm not 100% sure why that happens rather than a fail or time-out but to test the theory that it was a DNS failure I setup a dummy internal DNS server and pointed it to an internal IP of the server on the SERVER LAN. When I point the user to that DNS server the site comes up (I had to add a firewall rule allowing inter-LAN traffic of course.
I'm really hoping that I wont have to manage an internal DNS server along side of the public DNS servers that I'm already running so hopefully there's a solution within the pfsense …???
Thanks for any pointers.
-
Take a look at System, Advanced, Firewall/NAT, Network Address Translation.
I generally use port-forwards instead of 1-1 NAT and enable reflection on individual nat rules, but I believe you would want to check the boxes for 'enable nat reflection for 1:1 nat' and 'enable automatic outbound nat for reflection'. -
I'm wondering of this is a versioning issue but I only seem to have the Enable NAT Reflection option you speak of. I don't see the 'enable automatic outbound nat for reflection' that you speak of and the first option alone did make the redirects to the admin interface stop, they did not get me to the internal server lan server.
I'm using version 2.1p1-RELEASE (amd64) built on Tue Nov 12 16:41:18 EST 2013 FreeBSD 8.3-RELEASE-p12 and here's what I see under the NAT section of the page you directed me to:
-
Yes, I was referring to the headings to the left of the checkboxes. Try checking both boxes.
-
Yeah… I did both and got the same results.
Oddly, it also seem to be effecting some internet traffic. I'm wondering if something else in my setup is causing issues. Here are the basics:
USERLAN get's DHCP from an internal server who points to pfsense as the gateway, but to itself (the dhcp server) as the dns server. The DNS on the dhcp serves as a simple caching server.
While I had the two boxes ticked I notices some odd behavior in general. First off, a persistent ping to 8.8.8.8 never got interrupted so connectivity stayed there. But oddly, the aforementioned site on the server lan would just timeout yet there are no entries for it's public or private IP in the logs. Also, some sites on the internet at large would still come up from the user lan yet others wouldn't. It seemed pretty random but the instant I removed those two options and applies everything went back to normal.
I'm sure there's more about my setup that you might need but I'm not sure what more that might be. Thanks for your suggestions so far and if you're still willing to help let me know what else you need to know.
-
One thing I missed is that you have the servers on what most would call the 'DMZ' and not on the same network as the users.
In this situation, you would not check the second box, as it is there to bounce the traffic back to the originating network.
I have never seen NAT reflection cause connection issues to external sites, this may be some particular quirk with your setup.
Anyway, I've never tried to do exactly what you are doing, so I can't offer any more insight. You can always fall back to split DNS. -
I ended up just using the Host Overrides in DNS Forwarder as my split DNS solution since none of the other solutions seemed to work. From what I understand it's using a dnsmasq backend and likely just adding the entries to /etc/hosts
