Ahh... If you rename the Optional interfacs, dont use spaces. Scott
On 7/28/05, Matthew Lenz <[EMAIL PROTECTED]> wrote: > stupid OE doesn't quote properly for some reason. thanks for responding > btw, was beginning to think everyone missed it :) > > ----- Original Message ----- > From: "Scott Ullrich" <[EMAIL PROTECTED]> > To: "Matthew Lenz" <[EMAIL PROTECTED]> > Cc: "pfsense" <[email protected]> > Sent: Thursday, July 28, 2005 11:25 AM > Subject: Re: [pfSense-discussion] dns forwarder and other general questions > > > On 7/27/05, Matthew Lenz <[EMAIL PROTECTED]> wrote: > > I have 4 subnet's that each have their own interfaces (LAN, OPT1, OPT2, > > OPT3) and are the gateway for each of the subnets. I have development and > > backend t1 access on the LAN net, webservers on the opt1 net, app and > > database servers on opt2 and the mail servers are on opt3. > > > > I intend to make it so that each of these subnets has limited filtered > port > > access to one another. Everything is working fine so far but I wanted to > > throw out some questions just to get them out of the way. > > > > 1. If I want to resolve dns (via the dns forwarder) from OPT1 net, 2 net > and > > 3 net do I need to add a rule to allow access to the LAN interface IP from > > those networks? Or does the dns forwarder listen on all the OPT > interfaces > > as well? If not, can it? > > To be safe make sure you have a rule allowing DNS. It should listen > on all interfaces. > > ----- response ----- > ok you are right it does work. for now i have all my subnets with subnet -> > any accept entries and it works just fine from each subnet i've tried. it > wasn't working before because I didn't have the accept any rule in place. > Once I get everything configured I'll lock down access between the subnets. > ----- end response ----- > > > 2. Does the dns forwarder allow reverse dns entries? Its nice to be able > to > > just put all my server dns entries in the firewall rather than having to > add > > all the servers to eachothers /etc/hosts files; however, without reverse > dns > > lookup you'd get that nice few second hang while it attempts to reverse > > resolve the hostname. If the daemon does support it might be nice to have > a > > checkbox when adding an entry if you want reverse dns to be > proxy/forwarded > > as well. Its understandable that this is alittle more feature then is > > needed in the firewall. Same could be said for mutliple ip's per hostname > > if that isn't supported. > > It should allow reverse entries but I have not tried it. > > ----- response ----- > i meant through the interface, can't see how it would currently work. > unless you mean manually configuring the dns forwarder via the shell > ----- end response ----- > > > 3. What exactly are the differences between the LAN and OPT interfaces? > As > > far as I can tell it is: > > a) various fw services listen only on LAN ip. > > b) LAN has access to all OPT nets (how is that done? is it because of > > the default rule thats added?) > > c) others? > > An optional interface currently does not have PPPoE, etc. We're > slowly making our way to allow an OPTIONAL interface to function just > like WAN. Right now you can use DHCP or static addressing to allow > for multiple wans. > > ----- response ----- > I'm actually using LAN and all the OPT interfaces more like mutiple DMZs > (assuming I've got the terminology correct). I've got different > servers/services isolated into their own subnets and VLANed off on the > switch. Each vlan has an "uplink" to its own interface on the firewall > (dual gig onboad + 4port intel gig card). It seems to be working well so > far. > ----- end response ----- > > > .. possible feature request > > > > Its possible to name all the OPT interfaces however you'd like. It would > > also be nice to be able to rename the LAN and WAN interfaces to be more > > descriptive. > > Its not possible to rename the LAN and WAN interfaces. This will > change when server roles enter into the picture but that will not be > until after the first release. > > ----- response ----- > makes sense, but you could make it so they could have a description thats > shown on the menu rather than the LAN, WAN names. You could really do the > same with the OPT interfaces and make it so they aren't actually renamed but > have a description that shows up in the menu. This way I could show > something like: > > WAN (VLAN100) > LAN (VLAN200) > OPT1 (VLAN300) > OPT2 (VLAN400) > OPT3 (VLAN500) > OPT4 (PFSYNC) > > and things would be a bit more descriptive. I tried to rename the OPT > interfaces but found that things didn't work properly, it was really > strange. If I get some time I'll try to recreate it. > ----- end response ----- > > Scott > >
