OPNsense Forum

Archive => 18.7 Legacy Series => Topic started by: incirrata on October 22, 2018, 10:36:38 pm

Title: Unbound DNS Override for Web GUI?
Post by: incirrata on October 22, 2018, 10:36:38 pm
I have a fairly complex firewall setup with multiple physical LANs and WANs. I use DHCP static mappings to help control which hosts can connect to which LAN, and Unbound to provide DNS on each LAN and the oVPN server. The web GUI is running on a separate physical interface called CONTROL, which connects to one of the LANs, called TRUSTED.

I want to be able to access the web GUI by entering the firewall's hostname and domain in my browser, as normal, but this isn't possible right now because when I nslookup the firewall, it shows the network address of all LANs and the VPN; the interfaces marked as Network Interfaces in Unbound. I tried creating a DNS override in Unbound with just the CONTROL IP, but this just added it to the list of addresses found when using nslookup.

How can I use Unbound to provide DNS to my various LANs and VPN servers, but retain only one DNS entry that corresponds to the web GUI?
Title: Re: Unbound DNS Override for Web GUI?
Post by: Oxygen61 on October 24, 2018, 07:45:13 pm
Hi incirrata,

really funny to read that post here. I had the same problem a few days ago. :D
To be honest i did not find a "clean" solution for that, since i tried the same like you, writing a DNS override, which doesn't work.

What i did as a workaround which worked fairly well is the following:
(Firewall -> NAT -> Port-Forward)

If    Proto    Sourc-Address    Ports    Dest-Address    Ports    NAT-IP    Ports    Description
VLAN_USER    TCP    192.168.X.X/XX    *    This Firewall    <Web-GUI Port>    192.168.X.X    <Web-GUI Port>    [VLAN_User] Web-GUI Administration only on one Interface

You have to create different Port-Forward rules for different source-subnets, which will likely to ask the firewall for it's web-GUI address. "This Firewall" is a Default Alias, which listens on every interface for every gateway-ip in all your different subnets, configured to use the firewall. -> You do not need to create this Alias, it's there by default. :)