DNS: resolving pfSense address



  • Hi all,
    I run pfSense 2.2.3  on a box with 3 port: wan, lan with 8 vlans, and a third port not used.
    The LAN manages 8 vlans on a “router on a stick” configuration.
    See attachments number 1 + 2 .

    Each vlan has a distinct subnet with this pattern:

    • vlan 10  for subnet 192.168.10.0/24

    • vlan 20  for subnet 192.168.20.0/24

    • and so on.

    It works fine but there is a thing that I cannot understand.

    The switches and the fw on the net have their interfaces on “Management vlan” for administration purposes (see picture 3 + 4), and I want to deny access to them from Wifi_Famiglia net.
    To do this I defined a rule on Wifi_Famiglia – see the second rule on picture number 5.

    This rule works fine, that is with a clien on Wifi_Famiglia net I can't reach the Management net except…..

    ….except pfSense itself !
    pfSense has one vlan on the Management net  ( 192.168.99.1 )  and it remains reachable from Wifi_Famiglia (despite the previous deny rule)  through another vlan  (example from 192.168.10.1).
    That is, if I open  http://pfsense.casaren    (“casaren” is my local domain)  I can reach pfsense even from Wifi_Famiglia net.

    Why ?

    Trying to understand the problem, I checked how the pfsense.casaren    address was resolved: see picture 6.

    So the question is: why the pfsense address is this ? I mean: on 192.168.10.0/24 net?  (Lan_Default vlan)
    Where I could have defined this address in pfsense?

    I use simple definitions for the dns section:

    • Dns on General setup – picture 7

    • Dns forwarder not enabled - 8

    • Dns resolver - 9

    So I'm a bit confused, and I do not understand where pfsense take that  192.168.10.1  address for him. That is: why not the 192.168.99.1 on the management vlan?  or the 192.168.220.1    that is the gateway for the Wifi_Famiglia net ?

    Thanks in advance for any help.

    Andrea

    ![1 - Interfaces.png](/public/imported_attachments/1/1 - Interfaces.png)
    ![1 - Interfaces.png_thumb](/public/imported_attachments/1/1 - Interfaces.png_thumb)
    ![2 - Assigned interfaces.png](/public/imported_attachments/1/2 - Assigned interfaces.png)
    ![2 - Assigned interfaces.png_thumb](/public/imported_attachments/1/2 - Assigned interfaces.png_thumb)
    ![3 - Interface Wifi_Famiglia.png](/public/imported_attachments/1/3 - Interface Wifi_Famiglia.png)
    ![3 - Interface Wifi_Famiglia.png_thumb](/public/imported_attachments/1/3 - Interface Wifi_Famiglia.png_thumb)
    ![4 - Interface Management.png](/public/imported_attachments/1/4 - Interface Management.png)
    ![4 - Interface Management.png_thumb](/public/imported_attachments/1/4 - Interface Management.png_thumb)
    ![5 - Rule on Wifi_Famiglia.png](/public/imported_attachments/1/5 - Rule on Wifi_Famiglia.png)
    ![5 - Rule on Wifi_Famiglia.png_thumb](/public/imported_attachments/1/5 - Rule on Wifi_Famiglia.png_thumb)
    ![6 - Dig.png](/public/imported_attachments/1/6 - Dig.png)
    ![6 - Dig.png_thumb](/public/imported_attachments/1/6 - Dig.png_thumb)
    ![7 - dns general setup.png](/public/imported_attachments/1/7 - dns general setup.png)
    ![7 - dns general setup.png_thumb](/public/imported_attachments/1/7 - dns general setup.png_thumb)
    ![8 - host overrides.png](/public/imported_attachments/1/8 - host overrides.png)
    ![8 - host overrides.png_thumb](/public/imported_attachments/1/8 - host overrides.png_thumb)
    ![9.1 - Dns resolver.png](/public/imported_attachments/1/9.1 - Dns resolver.png)
    ![9.1 - Dns resolver.png_thumb](/public/imported_attachments/1/9.1 - Dns resolver.png_thumb)
    ![9.2 - Dns resolver.png](/public/imported_attachments/1/9.2 - Dns resolver.png)
    ![9.2 - Dns resolver.png_thumb](/public/imported_attachments/1/9.2 - Dns resolver.png_thumb)



  • Perhaps take a look at the default lockout rule under the firewall rules?


Log in to reply