DNS woes



  • Hello everyone

    Ok. So I have a home-based business. I want a DNS server of some kind to manage various systems and resolve in-house hostnames. I am currently using the full BIND server. I have an external domain name registered with a domain registrar, and I want to use that domain name internally also. Previously, I was using some thin clients for my pfsense boxes, but they wont work out so well - the hardware is just too limited. I am now using a Netgate APU4 kit.

    My issues are that I have 3 different network interfaces for internal LAN use. In pfSense the 3 interfaces are: LAN, OPT1 (which are both Wired Ethernet ports), and OPT2 (Atheros WiFi Mini PCIe card in AP mode). DNS resolution only works on the LAN interface. In BIND DNS settings, I've tried setting the pfsense host to all three IP addresses, but that only confuses the DNS clients. I've tried to create a network bridge between the 3 interfaces and couldn't seem to get that to work smoothly - I kept locking myself out of the router and having to reinstall. It's probably not a problem or bug with pfSense, but rather an unfamiliarity with the more advanced DNS concepts. I do have a good basic understand as to how DNS works, but am lacking in understanding how to correctly and properly setup my own server to "play nice with others".

    Question: does the built-in DNS forwarder support working with Domain names and Zones. I've always assumed it does not, and immediately added the BIND package and disabled built-in forwarder.

    I realize this is quite a bit of info to sift through, I'm having trouble sorting it all out myself.

    I suppose I need a plan of attack: I would prefer to create a network bridge and have all of the computers on the same LAN subnet. If somebody has experience doing this from within the pfSense WebGUI, I would like to chat with that somebody a bit, as I expect this approach will be easier to manage. Failing that, I would like to try to setup routing and firewall rules to route traffic amongst all three subnets freely. How should I possibly go about all of this? Let me know if anybody needs more specific info as to my setup. I feel as though I've rambled enough already. (If someone disagrees, I am more than happy to ramble some more)…


  • Rebel Alliance Global Moderator

    So you want to use opt1 and opt2 as switch ports on a switch?  All on your lan network?

    Why??  If you need ports on lan network - buy a SWITCH.. If you want other segments that is what those ports are for - setup up the ips on them, setup the firewall rules you want by default opt interfaces have no rules out of the box like the lan interface does.



  • 1. I only need 1 lan network for the time being, in the future - once I have a better grasp of how to setup pfSense, I do plan to separate the segments. I already have a switch. I just don't see any need to waste a perfectly good ethernet port. I still need to get a second switch, and when I do, I'll set up my devices where the need to be, so that when I do segregate my LAN, I won't need to rewire my whole home office. The network bridge idea was just to make it easier for me setup my home network and "hit the ground running", so to speak, while learning the ropes in the meantime.

    2. I've managed to achieve one of my desired outcomes using the built-in DNS-Forwarder. Surprise, surprise. Silly me. I should try it first, and ask questions only if it doesn't work.

    3. I still need to figure-out how to route traffic amongst network segments. I desire to allow things like file-sharing, network peer discovery, Remote Desktop Connections, etc. to traverse the 3 interfaces.


  • Rebel Alliance Global Moderator

    "3. I still need to figure-out how to route traffic amongst network segments."

    Thought you said you only need 1 segment? ;)

    You don't have to do anything - this is on any router.  Once put an interface and IP of the router on that segment it knows how to route between segments its connected too.  Once you add a new segment on opt1 to pfsense.  You don't have to worry about routing - you just need to setup the firewalls to allow the traffic you want to allow, or block the stuff you don;t want to allow, etc.

    As to this
    "I just don't see any need to waste a perfectly good ethernet port"

    Yup that is exactly what you would be doing trying to setup a bridge so you have a switch on your firewall ;)  If you need more ports on a lan, then get more switches or buy a bigger switch, etc.  You don't use your firewall/router as a switch by bridging interfaces ;)  It will never ever perform as well as switch!!



  • John:

    Initially, I wanted everything on 1 segment, for 2 reasons: 1. Simplification. I only need to worry about 1 segment as far as firewall rules, etc. go.  2. I was having troubles getting the full BIND service to work on all 3 segments at once, when I had tried using the interfaces separately. I have since resolved this 2nd issue by going back to the built-in DNS-Forwarder.

    Also, although I have a home-based business, I am living with my brother/roommate. He has his Playstation 3, His gaming computer, his Galaxy Note 3, Nintendo Wii, Nintendo DS, etc., etc. I plan to start hosting web sites, running a Windows Domain Controller, etc., etc. Having his stuff and my on separate interfaces would allow for future ease of use. I am still new to much of this, so initially, I wanted to bridge the interfaces so that I would be diving into a pool rather than the middle of a shark-infested ocean. I could still have his stuff wired to one physical LAN port, and my stuff to another, so that when it comes time to demolish the bridge, I won't need to go rewire the whole house.

    Having said all of that, I may as well go the separate interface, separate network segment approach now. I have until March 2015 before my lease is up with my current security router. I have my pfSense router behind the other one for now, so my brother isn't even exposed to the pfSense stuff yet.

    The bottom line: I was just trying to organize my thoughts and collaborate on a plan of attack. Thank you for the assistance. You helped more than you probably realize. I can be kind of silly sometimes, thinking it is going to be easier one way, and then making things so complicated in the process of doing it that way.

    Thaks again! If I have more troubles, and I can't figure it/them out, I know where to ask.



  • I thought that, should someone want to do this, I would just let you know how..

    Basically, it's much easier to set it up with different subnets on each port, but that isn't something that needs to be a problem. Like everyone else mentioned, switches are better, but if you want to do it this way you can, it will just be slower as it is Layer 3 routing instead of Layer 2 and firewall hardware isn't generally as fast and isn't meant for it.. but anyways, a few things…

    -You don't need bind for your dns as you can just use the DNS forwarder. It is listed as a dns forwarder, but in reality, it is just part of dmasq, a light weight dns and dhcp server.
    -Due to how tcp/ip generally is routed on a firewall, you are better off doing separate subnets for each port.
    -The only firewall rule you really need is to allow all IPv4 traffic hitting each interface to be accessible by anything to anything(That is, everything accept the wan interface. Remember, rules apply to the interface the traffic will hit.). So basically, just copy the default rules for LAN to each of your internal interfaces..

    So here is how I would do it...
    1-First, configure WAN and LAN like a normal pfsense setup would be. For simplicity, let's say LAN is configured with the default 192.168.1.1/24..
    2-Once that is done, go to the web configuration page and click on assign under interfaces.
    3-Click on the add icon, once it shows the new interface (OPT1), assign the correct NIC to it and save.
    4-Edit OPT1 to say something like LAN2 and set the IP address to something like 192.168.2.1/24
    5-Save the change and Copy steps 3 and 4, increment the IP address (ex, 192.168.3.1, 192.168.4.1,etc..) and LAN number (ex, LAN3, LAN4,etc...) each time until you have used all our lan ports.
    6-Once you have given all your interfaces their own names, go to Interfaces>Assign>Interface Groups.
    7-Create a new interface group called "LanGroup" that includes every lan interface you have.
    8-Go to Filewall>Rules. Click on the "LAN" tab and then click on the button that says "Create rule based on this one" that is next to the default IPv4 rule created to allow all IPv4 traffic out to anywhere.
    9-Change the Interface from LAN to LanGroup. Click Save
    10-Now, set up DHCP on each interface. Basically, this is up to you, but leave everything as it is based on it's default values. Make sure to leave the DNS server entries blank and make sure that you tell the search domain to be something like "myhome.local" or what ever else you would want for your internal dns.

    At this point, you are pretty much good to go as far as using all the ports to talk to each machine, but if you are wanting to set up DNS entries, you will need to add them in the DNS forwarder page.
    1-Make sure you have good dns servers listed under the general settings.
    2-Go to Services>DNS Forwarder
    3-Click on the box that says "Use DNS Forwarder"
    4-Where it shows your interfaces, click on LanGroup if it is listed. If it isn't, hold down ctrl and click on each of the LAN interfaces directly, selecting them all. Also click on the box that says "register DHCP leases with DNS."
    6-Click save, and then scroll to the bottom of the page. Where it says host overrides, click "add".
    7-For every dns name you would like to add statically and permanently, type in the fully qualified dns name (ex. merryslaptop.myhome.local) and then the IP address of that machine. If every machine you want to contact using dns will be using dhcp, than you can simple skip this step: it is only really for static ip machines that need dns names.

    And with that, you would be done.. Each machine would be on a different subnet, but it would work and would also function as a dns server. :) I hope that this helps anyone who would want to do this. Just keep in mind that using a firewall as a switch is basically not a good solution because of performance and because generally speaking, it is much better leave spare nics available in case of hardware failure. It is also overly complicated for what it's function is.

    NOTE: I just jotted this out from memory and haven't done it, but I am pretty sure that it would work..


  • Netgate

    Or just get a switch.

    General rule of thumb:  Switch ports are cheap, router ports are expensive.

    Lines are being blurred by cheap layer 3 switches.



  • Yeah, I think everyone said "just get a switch" for the most part. lol I agree completely, but I wanted to just kind of.. answer how to do what he wanted for the sake of answering the subject of this top.. In the end, regardless of what we would suggest, if he wants to do it this way he can.. so yeah. ^^;;



  • Thanks. I didn't end up going that route. I'm sure your life info will be useful to somebody somewhere.

    At the risk of being slapped: I decided to buy a switch…



  • HAHA.. No, no risk in getting slapped from me at least. :) That was really the route to go. I'm just one of those people that, for various reasons like being laid off can barely afford food at times, let alone more tech. ^^;; I kind of figured that there would be more nerds like me that would need something like this for financial reasons or simply because they are simply curious.

    You have a good one.