Hi,
Before I start, I want to say that this is my first time setting up any custom network stuff and first time using OPNsense.
(Though I'm not anymore a complete beginner, I've had a few months of learning now and I'm very happy with my setup, except this thing I'm currently working on)
So, if you can immediately see that I should switch to doing something completely other than what I'm doing right now, let me know.
Ok, so my setup is as follows:
Running OPNsense 25.7.2
I own a domain, lets call it mydomain.com
I use Unbound + Dnsmasq (because the documentation seemed to recommend this)
I use Traefik as a reverse proxy
(And if relevant, I will also use AdDuard Home, though not set up yet though)
Traefik or AdGuard Home or any other extra service is not installed as OPNsense addons, they are virtualized elsewhere
What I want to do:
I want *.mydomain.com to go to Traefik reverse proxy where I am routed to where needed (so I can do e.g. proxmox.mydomain.com -> goes to 192.168.10.3:8006)
Ok, I can do that all good, I create a host override in Unbound DNS: *.mydomain.com -> Traefik LXC IP. All good, navigating to proxmox.mydomain.com goes through Traefik and gets me to the right place, great.
Issue:
Now when I have *.mydomain.com override, I'm in trouble if I have something hosted on the internet. Lets say a blog on github pages should be on blog.mydomain.com. Well if I try to go to blog.mydomain.com, I just get forwarded to Traefik and it will not be found. Same issue also with the apex domain mydomain.com, even that seems to get forwarded to Traefik.
I'm hoping I could add an override blog.mydomain.com -> "resolve dns normally", but it seems I can only override to specific ip address, which is not usable here.
Any advice?
And to prematurely answer any question "why do you have same domain for local services and potential public ones". Well I think it would be very nice and convenient (once it works correctly). Also some services are both local and public, e.g. if accessing immich in my LAN, everything should go through the lan, but also same domain should also work if I'm not on my lan.
Since the services you want to override and you host with your own domain should be quite contained, you could handle this with an sni matching layer 4 route in traefik. The target could be the original hostname. Traefik just should not use the same DNS server otherwise there will be a loop since it will send the own traffic to itself.
Just a funny idea. In Caddy this sort of thing works.
Quote from: Monviech (Cedrik) on August 31, 2025, 12:29:05 PMSince the services you want to override and you host with your own domain should be quite contained, you could handle this with an sni matching layer 4 route in traefik. The target could be the original hostname. Traefik just should not use the same DNS server otherwise there will be a loop since it will send the own traffic to itself.
Just a funny idea. In Caddy this sort of thing works.
Oh yeah, so in Traefik I would forward blog.mydomain.com -> blog.mydomain.com, but I would just tell it to use e.g. 1.1.1.1 for DNS. Yeah this should surely be doable in Traefik. Though seems like quite a hack haha, and I wonder what downsides it could come with. I would prefer if there was some other way to do it.
You could try if a wildcard + specific overrides behave differently when using dnsmasq as main dns server.
But I doubt it. I would use the hacky worksround in the reverse proxy xD
Ok, well I've hit a realization here, this whole setup is pretty dumb. Yes sure, I can nicely access stuff with a browser by doing some_service.mydomain.com, but if I want to ssh, ping, nfs, whatever, some_service.mydomain.com this setup is totally useless for that. I will always just get the reverse proxy's IP.
Sigh,... I wonder what the correct way to do this stuff is.
I just didn't want the hassle of upkeeping dns overrides and other forwards in multiple different places.
You could just use DNS without a catch all override. That would be the simplest solution.
Also you do not need split DNS, depending on your setup you can just use Reflection and Hairpin NAT.
https://docs.opnsense.org/manual/how-tos/nat_reflection.html
Quote from: Monviech (Cedrik) on August 31, 2025, 06:18:39 PMYou could just use DNS without a catch all override. That would be the simplest solution.
Would be very annoying to have to manually configure DNS entires all the time (as opposed to automatically having stuff come from e.g. docker compose labels).
Also, then I have to type ports at the end of urls for services which require some non-default port to be used to get access to the web UI.
I use different DNS names for services - going to the reverse proxy - and the hosts that run these services - going to the internal IP address.
- service.mydomain.com for application
- service.internal.mydomain.com to commect via SSH, database connections, whatever
Also Avahi can help with that.
Use https://myservice.mydomain.com in your browser, reverse proxy can do the letsencrypt magic and you do not need a port number. Use ssh myservice.local for admin access.
Works across OPNsense and different subnets with mdns-repeater.
Quote from: Patrick M. Hausen on August 31, 2025, 10:40:12 PMI use different DNS names for services - going to the reverse proxy - and the hosts that run these services - going to the internal IP address.
- service.mydomain.com for application
- service.internal.mydomain.com to commect via SSH, database connections, whatever
Also Avahi can help with that.
Use https://myservice.mydomain.com in your browser, reverse proxy can do the letsencrypt magic and you do not need a port number. Use ssh myservice.local for admin access.
Works across OPNsense and different subnets with mdns-repeater.
Yeah thanks, I've realized now that what I wanted is pretty much impossible to do cleanly. And I for sure want one domain that goes to reverse proxy as is to be used with browsers and another domain to be used by other protocols to resolve just the ip of the service. I will go with this setup.
Although the original problem remains, that I need a dns override *.mydomain.com -> reverse proxy, but then when I have e.g. blog.mydomain.com (which is not hosted locally, but somewhere on the internet), it's an issue to access it. But well, I was able to get past that issue by the hack @Monviech suggested (reverse proxy points blog.mydomain.com -> blog.mydomain.com, but just doesn't use my DNS to resolve it)