I have a domain name, example.com. I want to use it both on my LAN and on the Internet to access my OPNsense router. I read a few how to articles and set it up but it is not working. Tried a few things but failed. I need some help.
1. External access question: example.com is pointing to public static IP of OPNsense router. Let's Encrypt example.com certificate is installed on router and also includes an alternate name of example.dyndns.org. I have example.dyndns.org listed in "Alternate Hostnames" under System > Settings > Administration and it works fine to access the router. But example.com gives me "A potential DNS Rebind attack has been detected." error. I have example.com listed as the Domain under System > Settings > General so shouldn't it work? Plus, we have the certificate for it. Am I missing something?
2. Internal access quesiton: We have 4 VLANs, vl10, vl20, vl30, and vl40 using Dnsmasq for DHCP and DNS over TLS in Unbound in the standard configuration (I think) that is described in the OPNsense Manual here:
https://docs.opnsense.org/manual/dnsmasq.html# (https://docs.opnsense.org/manual/dnsmasq.html#)
We have query forwarding setup in Unbound for 4 zones with:
-Domain = vl10.example.com, vl20.example.com, etc
-Server IP = 127.0.0.1
-Server Port = 53053
Plus, reverse of:
-Domain = 168.192.in-addr.arpa
-Server IP = 127.0.0.1
-Server Port = 53053
Dnsmasq has 4 Ranges set to:
-Interface = vl10, vl20, etc.
-IPs = 192.168.10.2 to 192.168.10.255, 192.168.20.2 to 192.168.20.255, etc.
-Domain = vl10.example.com, vl20.example.com, etc.
My clients are getting DHCP leases on vl10 just fine. Problem is that a client then cannot ping itself via client1.vl10.example.com. Error says it could not be found. But clients CAN ping themselves via their IP addresses. Also, the log in Unbound is set to Level 2 but it is empty.
The example in the Manual that I followed is for setting up using a different private internal domain name; lan.internal and there was a short note that if a public domain name was to be used instead then we could create a zone that is not used on the Internet, like lan.internal.example.com. I used vl10.example.com so is that a problem? Must the ".internal" be included?
Also, until a few days ago before I had the query forwarding setup I had xxx.internal entered as the Domain under System > Settings > General and all clients on the VLAN were seeing each other. Now they cannot see each other. Not sure if that is of help in diagnosing.
Anyone see any other possible solutions to get the resolution and/or VLANs to work?
Have the domain name point to your external IP address and use a reverse proxy like Caddy for access and TLS/SSL termination. Works from the inside (LAN) just as well.
If it's not HTTP or HTTPS but some other service, still have the DNS point to the external address only and use NAT reflection for your internal clients.
Split-DNS while originally a good idea leads to a very complicated setup for services that are supposed to be both public and private. Just settle with a single IP address for all.
Quote from: Patrick M. Hausen on Today at 12:58:17 AMHave the domain name point to your external IP address and use a reverse proxy like Caddy for access and TLS/SSL termination. Works from the inside (LAN) just as well.
If it's not HTTP or HTTPS but some other service, still have the DNS point to the external address only and use NAT reflection for your internal clients.
Split-DNS while originally a good idea leads to a very complicated setup for services that are supposed to be both public and private. Just settle with a single IP address for all.
Sounds complicated but I'll take a look. Know of a good How To?
Any thoughts on if my router should be accessible via example.com and why I am getting an error?