Hi all,
If I have multiple LAN subnets, and I want my clients in each subnet to be able to resolve/route to NGINX running on OPNSense, and then NGINX forwards to a server IP running in a DMZ subnet, what is the correct way to configure the DNS.
Do you setup a single Unbound DNS override entry to point to a single LAN gateway that you designate for NGINX, or do you somehow setup each LAN to have the DNS name of the server resolve to their respective LAN Gateway interfaces?
Bump.
Any advice would be appreciated.
I was thinking to perhaps create a new VLAN and use VIP's for any service hosted on the OPNsense itself.
Is this the right design approach or should a different design be used?
You can use the external IP address of the OPNsense, split DNS is not necessary. Just normal external A records will be enough since the OPNsense will listen on this external IP address via a socket (if nginx is bound to it or *(any) interface). The default route of all clients sends the traffic to the OPNsense anyway.
Otherwise just use any IP of the OPNsense and Unbound for a Host override. Just make sure the firewall rules allow access.
Quote from: Monviech (Cedrik) on February 26, 2026, 02:46:50 PMYou can use the external IP address of the OPNsense, split DNS is not necessary.
Would a reflection or hairpin NAT be needed so that various internal LAN subnet clients can connect back to the external IP address?
If there is a DNAT/port-forward on that external IP address, yes. If it's a reverse proxy, no. That's the beauty of reverse proxies.