Internal DNS Servers not accessable

Overcon

I put up a PFSense box and I have two LAN's and one WAN on it. Access from the two subnets on the LAN's works fine, can get out et cetera. But under the general settings I put two external DNS servers and two internal DNS servers. The internal DNS servers are on a Subnet at another location on a different Subnet than the two subnets I have here. How can I get access setup to the DNS servers in the other subnet?

LAN1 Subnet 192.168.113.0/24
LAN2 Subnet 192.168.116.0/24
WAN xxx.xxx.xxx.xxx

Internal DNS servers in a different building on Subnet 100 with IP's:
192.168.100.1
192.168.100.3

I am trying to get it so users on the 113 and 116 can resolve internal resources using the specified DNS servers, but something on the PFSense box is preventing it.

I am in the process of redesigning the network here to integrate the PFSense box as an alternate WAN (Multi-honed WAN) but won't be able to get it done before I leave for the holidays, so I was hoping someone could tell me how to allow the DNS IP's access to the PFSense networks so users could resolve against them until I can go the redesign.

Thanks!

phil.davis

What actual real connectivity options do you have to the other location?
What routing device is at the other location?
I guess you will need to setup some site-to-site VPN (OpenVPN or IPsec) across an interconnect of some sort (or across the internet) and allow routing between the networks.

Since those DNS servers are just for internal names, you will want to add them to your pfSense DNS server as domain overrides - pointing to them for the particular internal domains that they know about.
Do not put them in the DNS server list in System->General Setup - that would make them be queried for real internet names that would be best done by going straight to the servers on the public internet.

Overcon

That's the problem. I did add them and I still cannot hit them.

Here is a diagram how it is now: Our location is a satellite local. We have a point-to-point link that flows to our location from the main courthouse, there is no VPN.

And the override rules I put in.

All I want it for the PFSense to hit the internal DNS server when they are using it and that is mostly for if they change to it during an outage with the main link and forget to tell the next dispatcher that comes to that position during a shift change. So if that is the case, they can still hit shares and the like if the main link comes up and they don't switch back to it.

It's not perfect and I plan on changing it around but not till after the first. But I can't seem to get it to hit those DNS servers on the 100 subnet.

![PFSense Firewall - Redundant WAN.jpg](/public/imported_attachments/1/PFSense Firewall - Redundant WAN.jpg)
![PFSense Firewall - Redundant WAN.jpg_thumb](/public/imported_attachments/1/PFSense Firewall - Redundant WAN.jpg_thumb)
![DNS Overrides.jpg](/public/imported_attachments/1/DNS Overrides.jpg)
![DNS Overrides.jpg_thumb](/public/imported_attachments/1/DNS Overrides.jpg_thumb)

Derelict

How does pfSense know how to get to 192.168.100.0/24 via your cisco? It's probably trying to send the traffic for those addresses out its default gateway (the backup WAN).

You have two available paths to get there. 113 and 116. You should probably pick one, we'll use 113. Create a gateway on pfSense to 192.168.113.6. Create a static route to 192.168.0.0/16 with that gateway as the gateway and the 113 VLAN interface as the interface.

Overcon

@Derelict:

How does pfSense know how to get to 192.168.100.0/24 via your cisco? It's probably trying to send the traffic for those addresses out its default gateway (the backup WAN).

You have two available paths to get there. 113 and 116. You should probably pick one, we'll use 113. Create a gateway on pfSense to 192.168.113.6. Create a static route to 192.168.0.0/16 with that gateway as the gateway and the 113 VLAN interface as the interface.

OK, this is what I put, doesn't seem to be connecting:

113-gw.jpg_thumb

113-route.jpg_thumb

Overcon

@Derelict:

How does pfSense know how to get to 192.168.100.0/24 via your cisco? It's probably trying to send the traffic for those addresses out its default gateway (the backup WAN).

You have two available paths to get there. 113 and 116. You should probably pick one, we'll use 113. Create a gateway on pfSense to 192.168.113.6. Create a static route to 192.168.0.0/16 with that gateway as the gateway and the 113 VLAN interface as the interface.

I might have to add a route specifically for the PFSense box to get there, though i figured it would travel just like any other 113 device.

Right now I have a 3750 Switch Stack with VLAN113 VLAN 116 and VLAN1. Those switches are connected via two trunked ports tunnels to a CISCO 2911 which has a 10 NET tunnel to the remote local which I don't know how it is connected, I don't monitor their hardware. I am not even sure if they have managed switches, just routers with ports with assigned subnets to them.

So, locally:

CISCO 3750X with VLANS 113 & 116
Connected to a 2911 via trunked ports 113 & 116
2911 with a port to a 10 net point to point.

A few routes on the 2911 dumps all requests to these routes:

ip route 0.0.0.0 0.0.0.0 10.0.0.41 All default traffic to CH
ip route 10.230.2.0 255.255.255.0 192.168.116.3 to SO
ip route 10.230.5.0 255.255.255.0 192.168.116.3 to SO
ip route 192.168.2.0 255.255.255.0 192.168.113.1 to City
ip route 192.168.6.0 255.255.255.0 192.168.113.1 to City

Derelict

@Overcon:

I might have to add a route specifically for the PFSense box to get there, though i figured it would travel just like any other 113 device.

It is behaving like other VLAN113 devices. It's sending traffic for 192.168.100.0/24 to its default gateway. Thing is, the default gateway on your LAN clients is the 2911. The default gateway for pfSense is the WAN connection.

Make a route for it.

Or, make a gateway pointing at the 2911 and set it as default.

Overcon

@Derelict:

@Overcon:

I might have to add a route specifically for the PFSense box to get there, though i figured it would travel just like any other 113 device.

It is behaving like other VLAN113 devices. It's sending traffic for 192.168.100.0/24 to its default gateway. Thing is, the default gateway on your LAN clients is the 2911. The default gateway for pfSense is the WAN connection.

Make a route for it.

Or, make a gateway pointing at the 2911 and set it as default.

I did and I can tracert from it to the 100 IP, but I still cannot resolve against it. It still insists on resolving on the eternal DNS servers.

Traceroute output:

1 192.168.113.6 0.491 ms 0.381 ms 0.427 ms
2 10.0.0.41 180.307 ms 170.385 ms 159.623 ms
3 10.0.0.2 160.756 ms 175.612 ms 244.091 ms
4 192.168.100.3 232.974 ms 134.137 ms 166.634 ms

Derelict

Ok so your routing is fixed. What are the specific DNS server (System->General) settings and forwarder domain overrides you have in place?

Overcon

Here are the overrides and forwarders.

forwarders.jpg_thumb

Overcon

And the DNS is just the ISP external ones:

dns.jpg_thumb

Derelict

You have checked the checkbox that says not to use the DNS forwarder for queries made by the firewall. If you want the firewall to use the DNS forwarder for its queries why would you do that?

Overcon

Not sure why I had that checked. I'll uncheck it.