OPNsense Forum
English Forums => General Discussion => Topic started by: vtornes on January 16, 2024, 03:40:32 pm
-
Hi all!
I currently have an old Cisco 2901 router who's only job is to provide one-to-one NAT between a client network and a server network (due to historical reasons of course, and overlapping subnets inside and outside).
I want to replace this aging device with an OpnSense virtual appliance, and I got one-to-one NAT working fine except for one thing... There is a DNS server on the outside network, but all it does is forward to our DNS servers on the inside network. In the current Cisco configuration, the inside DNS server replies with the translated addresses. When I swap to the OpnSense appliance, the inside addresses are returned.
The Cisco configuration is pretty basic, and I can see nothing that would affect the DNS replies. The inside DNS server has no knowledge of the translated subnet, so I don't see where the magic is coming from...
Any clues how on earth this works, and how I can get it working in OpnSense?
-
Worked it out :-) What's happening on the Cisco box is DNS Doctoring, enabled by default on the router.
To get a similar functionality in OpnSense I enabled Dnsmasq with the following option in /usr/local/etc/dnsmasq.conf:
alias=x.x.x.0,y.y.y.0,255.255.255.0
where x.x.x.0 is internal subnet and y.y.y.0 is the NATed IPs.
I then placed a port forwarding rule for all DNS requests headed for the internal DNS servers to go to OpnSense instead, which in turn redirects requests to the internal servers and applies the alias to the responses.