Host Overrides not working externally
Hello all i am having trouble getting Host Overrides to work externally. Running PFSense 2.3 and the DNS resolver below I am providing an example and some of my settings.
I believe i have the defaults set for the DNS resolver service i tried a few different setting like enabling forwarder mode to no avial
See attachment for DNS resolver settings
My Host Override settings look like this
Host = vpn-1
Domain = my.domain.com
IP = 10.22.2.104
So to recap vpn-1.my.domain.com works perfectly on the LAN
However it does not work externally from the Internet i get Network Timeout error in my browser
"Network Timeout … The operation timed out when attempting to contact vpn-1.my.domain.com."
I have a proper DNS A record for this domain/host, and DNS resolves externally using tools like nslookup on Kloth.net see directly below an external nslookup
DNS server handling your query: 18.104.22.168
DNS server's address: 22.214.171.124#53
I have NAT setup with a corosponding firewall rule
WAN TCP * * WAN address 2000 10.22.2.104 2000 vpn-1-gui
I know replying to my own thread may be bad practice, but i discovered something odd, while trying to solve this problem. I started sequentially trying the system domain local zone type a new feature i am not familiar with and when i got down to redirect i started getting errors when i tried to apply the setting … now even when i try to switch back to transparent i get the same error
NOTE "axis-1.my.domain.com A 10.22.2.240" is setup as a static dhcp host in dhcp server
The following input errors were detected:
The generated config file cannot be parsed by unbound. Please correct the following errors:
 unbound-checkconf[9322:0] error: local-data in redirect zone must reside at top of zone, not at axis-1.my.domain.com A 10.22.2.240
 unbound-checkconf[9322:0] fatal error: failed local-zone, local-data configuration
why would you think an over ride would be used externally?? Unbound is not an authoritative name server, even if you pointed your public domain to it.. Who would be using your wan IP as their dns?
Lets say you wanted to allow that - which would be a BAD idea, you would have to open up the wan firewall rules to allow queries.
At a loss to what that nat is suppose to be for? What does that have to do with dns?
Yes i suppose this could be a bad idea, maybe there is a better/safer/easier way, or maybe this is not possible at all, most likely i am going about this completely wrong.
Essentially what i want to achieve is for URLs to resolve the same internally and externally.
Internally i want vpn-1.my.domain.com to be resolved to 10.22.2.105 (an internal ip) which it does correctly
externally vpn-1.my.domain.com should resolve to 126.96.36.199 (an external ip) this also works correctly
Seems like a doable thing, according to the pfsense doc however i could be misunderstanding those too argh.
I tried implementing method 2: split DNS … however i am not using dns forwarder i am using dns resolver maybe that is my problem?
As stated DNS may not be the problem, especially since the web browser is timing out it looks even more like a NOT DNS problem.
does not matter if you use forwarder or resolver, they both support overrides. Which would be used by your boxes internally, that point to pfsense for dns.
Setup your host overrided do a query from an internal box using your fav tool, nslookup, dig, drill, or just ping that name and validate it resolves to the internal IP you want.
Now from external and you want this to forward to some box inside your network, you would have to setup a port forward. Are you trying to run some vpn server behind pfsense?? From the name vpn-1 seems so.. Why would you not just run the vpn on pfsense? And why would internal boxes need to resolve that name?
Thank you for your help, think we got things solved, err resolved actually :) … resolved as I made an error when i added the A record to my upstream DNS server. Anyways all is working as expected now internally and externally and i apologize for not seeing my error sooner this really had nothing to do with pfsense sorry.
Also yes i am running a VPN server behind pfsense, vpn-1 is an Open Access Server, I used to use pfsense for this but did not like that the client export wizard had to be setup each time , also really like the client accessible interface in Open Access Server. Again you are correct i do not need external boxes to resolve to that host in retrospect vpn-1 was probably the worst example i could have picked, not sure what i was thinking and mostly just using for an example wrongly, and probably should have used something nice and generic like host-1.my.domain.com
"client export wizard had to be setup each time"
huh?? you lost me.. All that is needed for the client to connect is the config and well sure openvpn client.. Not sure what you mean by export wizard each time? to export the configurations?
How many clients do you have? Yes the access server has some advantages vs the community FREE version.. It can be easier for your typical user to got to a website ;)
Biggest draw back to AS is its not free ;)
Do not like the way i have to adjust the setting in the client export wizard (package) every time i use it resets to the defaults, i dont have that many clients so it not really a biggy but got open access setup and working right now, and yes it sucks that it is not free for more than 2 users :)
Might switch back to pfsense later as the openvpn works well there too.
resets to defaults? You mean the openvpn instance and what to use to resolve the IP to connect too? Are you adding advanced options? what are doing in the export that would not be default anyway?
If you do not have very many clients, this would something you would do like once per client..
divsys last edited by
I'd guess he's talking about the "Host Name Resolution" setting in the Export Wizard as an example.
It defaults to:"Interface IP Address" every time you use it which can be a minor nuisance if your WAN is setup with DDNS for your clients.
It's not a deal breaker by any means but it can be an annoyance, especially as the "IP address" setting will work great for an exported client - until the IP address of WAN changes…..
Would be nice if the defaults could be locked at something other than raw IP address.
If it locked to say ddns address, what if I don't have a ddns address? Then that is a PITA for me ;)
divsys last edited by
I guess that's why people have been asking for the ability for that screen to "remember" what you last used.