stupid OE doesn't quote properly for some reason. thanks for responding btw, was beginning to think everyone missed it :)
----- Original Message ----- From: "Scott Ullrich" <[EMAIL PROTECTED]> To: "Matthew Lenz" <[EMAIL PROTECTED]> Cc: "pfsense" <[email protected]> Sent: Thursday, July 28, 2005 11:25 AM Subject: Re: [pfSense-discussion] dns forwarder and other general questions On 7/27/05, Matthew Lenz <[EMAIL PROTECTED]> wrote: > I have 4 subnet's that each have their own interfaces (LAN, OPT1, OPT2, > OPT3) and are the gateway for each of the subnets. I have development and > backend t1 access on the LAN net, webservers on the opt1 net, app and > database servers on opt2 and the mail servers are on opt3. > > I intend to make it so that each of these subnets has limited filtered port > access to one another. Everything is working fine so far but I wanted to > throw out some questions just to get them out of the way. > > 1. If I want to resolve dns (via the dns forwarder) from OPT1 net, 2 net and > 3 net do I need to add a rule to allow access to the LAN interface IP from > those networks? Or does the dns forwarder listen on all the OPT interfaces > as well? If not, can it? To be safe make sure you have a rule allowing DNS. It should listen on all interfaces. ----- response ----- ok you are right it does work. for now i have all my subnets with subnet -> any accept entries and it works just fine from each subnet i've tried. it wasn't working before because I didn't have the accept any rule in place. Once I get everything configured I'll lock down access between the subnets. ----- end response ----- > 2. Does the dns forwarder allow reverse dns entries? Its nice to be able to > just put all my server dns entries in the firewall rather than having to add > all the servers to eachothers /etc/hosts files; however, without reverse dns > lookup you'd get that nice few second hang while it attempts to reverse > resolve the hostname. If the daemon does support it might be nice to have a > checkbox when adding an entry if you want reverse dns to be proxy/forwarded > as well. Its understandable that this is alittle more feature then is > needed in the firewall. Same could be said for mutliple ip's per hostname > if that isn't supported. It should allow reverse entries but I have not tried it. ----- response ----- i meant through the interface, can't see how it would currently work. unless you mean manually configuring the dns forwarder via the shell ----- end response ----- > 3. What exactly are the differences between the LAN and OPT interfaces? As > far as I can tell it is: > a) various fw services listen only on LAN ip. > b) LAN has access to all OPT nets (how is that done? is it because of > the default rule thats added?) > c) others? An optional interface currently does not have PPPoE, etc. We're slowly making our way to allow an OPTIONAL interface to function just like WAN. Right now you can use DHCP or static addressing to allow for multiple wans. ----- response ----- I'm actually using LAN and all the OPT interfaces more like mutiple DMZs (assuming I've got the terminology correct). I've got different servers/services isolated into their own subnets and VLANed off on the switch. Each vlan has an "uplink" to its own interface on the firewall (dual gig onboad + 4port intel gig card). It seems to be working well so far. ----- end response ----- > .. possible feature request > > Its possible to name all the OPT interfaces however you'd like. It would > also be nice to be able to rename the LAN and WAN interfaces to be more > descriptive. Its not possible to rename the LAN and WAN interfaces. This will change when server roles enter into the picture but that will not be until after the first release. ----- response ----- makes sense, but you could make it so they could have a description thats shown on the menu rather than the LAN, WAN names. You could really do the same with the OPT interfaces and make it so they aren't actually renamed but have a description that shows up in the menu. This way I could show something like: WAN (VLAN100) LAN (VLAN200) OPT1 (VLAN300) OPT2 (VLAN400) OPT3 (VLAN500) OPT4 (PFSYNC) and things would be a bit more descriptive. I tried to rename the OPT interfaces but found that things didn't work properly, it was really strange. If I get some time I'll try to recreate it. ----- end response ----- Scott
