• I Have setup an site to site OpenVPN tunnel using PFsense between 3 sites.

    Site 1
    OpenVPN Server
    IP: 192.168.100.1
    Tunnel: 10.0.10.0/24 and 10.0.11.0/24 for server connection for each client applicance.
    OpenVPN on firewall rules are open to any
    Wan firewall rule is open to openVPN 1194 and 1195

    Site 2
    VPN Client
    IP: 192.168.110.1
    Remote network: 192.168.100.0/24
    OpenVPN on firewall rules are open to any

    Site3
    OpenVPN Client
    IP: 192.168.120.1
    Remote network: 192.168.100.0/24
    OpenVPN on firewall rules are open to any

    Each appliance on the client side acts as a DHCP and DNS server as default settings permit.
    I have the VPNs up and running and ping the PCs IP I need to connect to on the VPN server’s local subnet from PCs on both client networks. I Cannot resolve the hostname of the PC on the server network though. I actually only need to be able to connect to one specific PC since the accounting software package installed on it needs DNS resolution to activate over the network.

    I have been through countless forums but to no avail. I can’t get my head around the forwarding. I have tried the DNS forwarding method in this article http://meandmymac.net/2014/08/pfsense-ipsec-site-to-site-with-dns-resolving/ but still get no resolution.
    Can anybody help me step by step to possibly resolve “no pun intended” this issue?
    Also tried disabling the Windows firewall on the target PC.

    Thanks in advance


  • What I have done in the past is to create a domain for each site within pfSense and reference them in the DNS forwarders of each box using DHCP.

    (1) "System->General Setup->Domain", create "site1" in 192.168.100.1 "site2" in 192.168.110.1, etc.
    (2) "Services->DNS Forwarder" Enable "DHCP Registration" and "Static DHCP".
    (3) "Services->DNS Forwarder" Make an entry under "Domain Overrides" for each domain created in (1).
          For 192.168.100.1 ("site1") to access 192.168.110.1 (site2):
          Domain:site2
          IP address:192.168.110.1
          Source IP:192.168.100.1
          For 192.168.100.1 ("site1") to access 192.168.120.1 (site3):
          Domain:site3
          IP address:192.168.120.1
          Source IP:192.168.100.1
    (4) Repeat the steps in (3) on the other two boxes referring the appropriate domains to the IP of the pfSense box "hosting" the domain.

    Now any entry managed by DHCP in one box can be referenced in another

    "bobpc" -> 192.168.100.5
    "jeffpc" -> 192.168.110.7
    "georgepc" -> 192.168.120.8

    You can reference "jeffpc.site2",  "georgepc.site3", "bobpc.site1" from any other site (or locally).

    It's not a perfect solution, but I find it works well in many situations.


  • Thanks for the quick reply. I will give it a go today. I did notice though from a previous tinkering session that DNS forwarding is not enabled by default but DNS Resolving is. When I tried to enable DNS Forwarding it complains that the port is already in use and I should either use a different port or Disable Resolver. Should I go ahead and disable DNS Resolution on all appliances or only on the client appliances to make your solution work? If so, having two OpenVPN client appliances, how do I setup the OpenVPN server appliance to forward to both clients? Or am I going around this the wrong way?

    Regards


  • pfSense 2.2.x added the DNS resolver (Unbound) as an alternate DNS service to the original DNS forwarder.
    The resolver is definitely a more full featured DNS provider for pfSense and is now the default for new installs.

    Most of my systems are upgrades from older versions of pfSense so they typically use DNS forwarder, which is "simpler" but still adequate for my needs.
    You setup one or the other to work with your systems.

    As far as the solution I suggested, you can follow the same steps, just do the "Services->DNS Forwarder" pieces in "Services->DNS Resolver" instead.
    I would suggest you keep the Resolver as is and simply add the changes I suggested.

    You could mix and match the Forwarder vs Resolver across different sites, but there's little advantage and much confusion to be had going that route.

    As I said earlier, pick one or the other and configure as necessary.